CVE-2020-25654 — Improper Access Control in Pacemaker

CWE-284 — Improper Access Control10 documents8 sources

Severity

7.2HIGHNVD

EPSS

0.1%

top 75.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Clusterlabs Pacemaker Debian Linux

Timeline

PublishedNov 24

Latest updateMay 24

Description

An ACL bypass flaw was found in pacemaker. An attacker having a local account on the cluster and in the haclient group could use IPC communication with various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went through the configuration.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages3 packages

▶NVDclusterlabs/pacemaker2.0.0 — 2.0.3+2

▶Debianclusterlabs/pacemaker< 2.0.5~rc2-1+3

▶CVEListV5clusterlabs/pacemakerpacemaker 1.1.24-rc1, pacemaker 2.0.5-rc2

Also affects: Debian Linux 9.0

🔴Vulnerability Details

GHSA

GHSA-3q2f-h5rm-7qv7: An ACL bypass flaw was found in pacemaker before 1↗2022-05-24

▶

OSV

CVE-2020-25654: An ACL bypass flaw was found in pacemaker↗2020-11-24

▶

CVEList

CVE-2020-25654: An ACL bypass flaw was found in pacemaker↗2020-11-24

▶

📋Vendor Advisories

Ubuntu

Pacemaker vulnerability↗2020-11-09

▶

Red Hat

pacemaker: ACL restrictions bypass↗2020-10-27

▶

Debian

CVE-2020-25654: pacemaker - An ACL bypass flaw was found in pacemaker. An attacker having a local account on...↗2020

▶

💬Community

Bugzilla

CVE-2020-25654 pacemaker: ACL restrictions bypass [openstack-rdo]↗2020-10-27

▶

Bugzilla

CVE-2020-25654 pacemaker: ACL restrictions bypass [fedora-all]↗2020-10-27

▶

Bugzilla

CVE-2020-25654 pacemaker: ACL restrictions bypass↗2020-10-14

▶