CVE-2018-1086
published 2018-04-12CVE-2018-1086: pcs before versions 0.9.164 and 0.10 is vulnerable to a debug parameter removal bypass. REST interface of the pcsd service did not properly remove the pcs…
high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
pcs before versions 0.9.164 and 0.10 is vulnerable to a debug parameter removal bypass. REST interface of the pcsd service did not properly remove the pcs debug argument from the /run_pcs query, possibly disclosing sensitive information. A remote attacker with a valid token could use this flaw to elevate their privilege.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| clusterlabs | pacemaker_command_line_interface | — | — |
| clusterlabs | pacemaker_command_line_interface | — | — |
| clusterlabs | pcs | >= 0 < 0.9.164-1 | 0.9.164-1 |
| clusterlabs | pcs | >= 0 < 0.9.164-1 | 0.9.164-1 |
| clusterlabs | pcs | >= 0 < 0.9.164-1 | 0.9.164-1 |
| clusterlabs | pcs | >= 0 < 0.9.164-1 | 0.9.164-1 |
| clusterlabs | pcs | >= 0 < 0.9.149-1ubuntu1.1+esm1 | 0.9.149-1ubuntu1.1+esm1 |
| clusterlabs | pcs | >= 0 < 0.10.4-3ubuntu0.1~esm1 | 0.10.4-3ubuntu0.1~esm1 |
| clusterlabs | pcs | >= 0 < 0.10.11-2ubuntu3+esm1 | 0.10.11-2ubuntu3+esm1 |
| debian | debian_linux | — | — |
| debian | pcs | < pcs 0.9.164-1 (bookworm) | pcs 0.9.164-1 (bookworm) |
| redhat | enterprise_linux_server_eus | — | — |
| redhat | enterprise_linux_server_eus | — | — |
| redhat | pcs | — | — |
| redhat | pcs | — | — |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
osv7.5HIGH