CVSS: 9.0EPSS: 0%CPEs: 4EXPL: 0CVE-2020-25654 – pacemaker: ACL restrictions bypass
https://notcve.org/view.php?id=CVE-2020-25654
09 Nov 2020 — An ACL bypass flaw was found in pacemaker. An attacker having a local account on the cluster and in the haclient group could use IPC communication with various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went through the configuration. Se encontró un fallo de omisión de ACL en pacemaker. Un atacante que tenga una cuenta local en el clúster y en el grupo haclient podría usar la comunicación IPC con varios demonios directamente para llevar a cabo determina... • https://bugzilla.redhat.com/show_bug.cgi?id=1888191 • CWE-284: Improper Access Control •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2014-0104
https://notcve.org/view.php?id=CVE-2014-0104
02 Jan 2020 — In fence-agents before 4.0.17 does not verify remote SSL certificates in the fence_cisco_ucs.py script which can potentially allow for man-in-the-middle attackers to spoof SSL servers via arbitrary SSL certificates. En fence-agents versiones anteriores a la versión 4.0.17, no se comprueban los certificados SSL remotos en el script fence_cisco_ucs.py, lo que puede permitir potencialmente que los atacantes de tipo man-in-the-middle puedan falsificar servidores SSL por medio de certificados SSL arbitrarios. • https://access.redhat.com/security/cve/cve-2014-0104 • CWE-295: Improper Certificate Validation •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2011-5271
https://notcve.org/view.php?id=CVE-2011-5271
12 Nov 2019 — Pacemaker before 1.1.6 configure script creates temporary files insecurely Pacemaker versiones anteriores a 1.1.6, un script de configuración crea archivos temporales de forma no segura. • http://www.openwall.com/lists/oss-security/2014/02/11/1 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 5.0EPSS: 0%CPEs: 4EXPL: 0CVE-2019-10153 – fence-agents: mis-handling of non-ASCII characters in guest comment fields
https://notcve.org/view.php?id=CVE-2019-10153
30 Jul 2019 — A flaw was discovered in fence-agents, prior to version 4.3.4, where using non-ASCII characters in a guest VM's comment or other fields would cause fence_rhevm to exit with an exception. In cluster environments, this could lead to preventing automated recovery or otherwise denying service to clusters of which that VM is a member. Se detectó un fallo en fence-agents, anterior a versión 4.3.4, donde el uso de caracteres no ASCII en un comentario de una Máquina Virtual invitada u otros campos causaría que fenc... • https://access.redhat.com/errata/RHSA-2019:2037 • CWE-172: Encoding Error •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 2CVE-2019-12779 – libqb: Insecure treatment of IPC (temporary) files
https://notcve.org/view.php?id=CVE-2019-12779
07 Jun 2019 — libqb before 1.0.5 allows local users to overwrite arbitrary files via a symlink attack, because it uses predictable filenames (under /dev/shm and /tmp) without O_EXCL. libqb anterior a la versión 1.0.5 permite a los usuarios locales sobrescribir archivos arbitrarios mediante un ataque de enlace simbólico (symlink attack), porque utiliza nombres de archivo predecibles (bajo /dev/shm y /tmp) sin O_EXCL. The libqb packages provide a library with the primary purpose of providing high performance client/server ... • http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00017.html • CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-377: Insecure Temporary File •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2019-3885 – pacemaker: Information disclosure through use-after-free
https://notcve.org/view.php?id=CVE-2019-3885
18 Apr 2019 — A use-after-free flaw was found in pacemaker up to and including version 2.0.1 which could result in certain sensitive information to be leaked via the system logs. En el software Pacemaker hasta la versión 2.0.1 inclusive, se encontró un defecto de uso que podía provocar la filtración de cierta información sensible a través de los registros del sistema. A use-after-free flaw was found in pacemaker which could result in certain sensitive information to be leaked via the system logs. Jan Pokorný discovered t... • http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00034.html • CWE-416: Use After Free •
CVSS: 8.8EPSS: 0%CPEs: 22EXPL: 0CVE-2018-16877 – pacemaker: Insufficient local IPC client-server authentication on the client's side can lead to local privesc
https://notcve.org/view.php?id=CVE-2018-16877
18 Apr 2019 — A flaw was found in the way pacemaker's client-server authentication was implemented in versions up to and including 2.0.0. A local attacker could use this flaw, and combine it with other IPC weaknesses, to achieve local privilege escalation. Se encontró un fallo en la forma en que se implementó la autenticación cliente-servidor del software Pacemaker, en versiones hasta la 2.0.0 inclusive. Un atacante local podría utilizar este fallo, y combinarlo con otras debilidades del IPC, para lograr una escalada de ... • http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00012.html • CWE-287: Improper Authentication •
CVSS: 6.2EPSS: 0%CPEs: 22EXPL: 0CVE-2018-16878 – pacemaker: Insufficient verification inflicted preference of uncontrolled processes can lead to DoS
https://notcve.org/view.php?id=CVE-2018-16878
18 Apr 2019 — A flaw was found in pacemaker up to and including version 2.0.1. An insufficient verification inflicted preference of uncontrolled processes can lead to DoS Se encontró un fallo en el software Pacemaker hasta la versión 2.0.1 inclusive. Una verificación insuficiente de los procesos preferentes no controlados puede llevar a una condición de denegación de servicios (DoS). A flaw was found in pacemaker. An insufficient verification inflicted preference of uncontrolled processes can lead to DoS. • http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00012.html • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2018-1086 – pcs: Debug parameter removal bypass, allowing information disclosure
https://notcve.org/view.php?id=CVE-2018-1086
11 Apr 2018 — pcs before versions 0.9.164 and 0.10 is vulnerable to a debug parameter removal bypass. REST interface of the pcsd service did not properly remove the pcs debug argument from the /run_pcs query, possibly disclosing sensitive information. A remote attacker with a valid token could use this flaw to elevate their privilege. pcs, en versiones anteriores a la 0.9.164 y 0.10, es vulnerable a una omisión de eliminación de un parámetro de depuración. La interfaz REST del servicio pcsd no eliminó correctamente el ar... • https://access.redhat.com/errata/RHSA-2018:1060 • CWE-20: Improper Input Validation CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.7EPSS: 0%CPEs: 4EXPL: 0CVE-2018-1079 – pcs: Privilege escalation via authorized user malicious REST call
https://notcve.org/view.php?id=CVE-2018-1079
11 Apr 2018 — pcs before version 0.9.164 and 0.10 is vulnerable to a privilege escalation via authorized user malicious REST call. The REST interface of the pcsd service did not properly sanitize the file name from the /remote/put_file query. If the /etc/booth directory exists, an authenticated attacker with write permissions could create or overwrite arbitrary files with arbitrary data outside of the /etc/booth directory, in the context of the pcsd process. pcs, en versiones anteriores a la 0.9.164 y 0.10, es vulnerable... • https://access.redhat.com/errata/RHSA-2018:1060 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-552: Files or Directories Accessible to External Parties •