CVE-2018-1086 — Improper Input Validation in Pacemaker Command Line Interface

CWE-20 — Improper Input Validation CWE-200 — Sensitive Information Exposure10 documents8 sources

Severity

7.5HIGHNVD

CNA4.3OSV6.1

EPSS

0.2%

top 57.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Clusterlabs PCS Redhat PCS Clusterlabs Pacemaker Command Line Interface +2 more

Timeline

PublishedApr 12

Latest updateJul 2

Description

pcs before versions 0.9.164 and 0.10 is vulnerable to a debug parameter removal bypass. REST interface of the pcsd service did not properly remove the pcs debug argument from the /run_pcs query, possibly disclosing sensitive information. A remote attacker with a valid token could use this flaw to elevate their privilege.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶NVDclusterlabs/pacemaker_command_line_interface0.10, 0.9.164+1

▶Debianclusterlabs/pcs< 0.9.164-1+3

▶Ubuntuclusterlabs/pcs< 0.9.149-1ubuntu1.1+esm1+2

▶CVEListV5redhat/pcspcs 0.10, pcs 0.9.164+1

Also affects: Debian Linux 9.0, Enterprise Linux 7.5, 7.6

🔴Vulnerability Details

OSV

pcs vulnerabilities↗2025-07-02

▶

GHSA

GHSA-p9pc-vgv7-x9j9: pcs before versions 0↗2022-05-13

▶

CVEList

CVE-2018-1086: pcs before versions 0↗2018-04-12

▶

OSV

CVE-2018-1086: pcs before versions 0↗2018-04-12

▶

📋Vendor Advisories

Ubuntu

pcs vulnerabilities↗2025-07-02

▶

Red Hat

pcs: Debug parameter removal bypass, allowing information disclosure↗2018-04-09

▶

Debian

CVE-2018-1086: pcs - pcs before versions 0.9.164 and 0.10 is vulnerable to a debug parameter removal ...↗2018

▶

💬Community

Bugzilla

CVE-2018-1086 pcs: Debug parameter removal bypass, allowing information disclosure [fedora-all]↗2018-04-09

▶

Bugzilla

CVE-2018-1086 pcs: Debug parameter removal bypass, allowing information disclosure↗2018-03-16

▶