CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-2661
https://notcve.org/view.php?id=CVE-2017-2661
12 Mar 2018 — ClusterLabs pcs before version 0.9.157 is vulnerable to a cross-site scripting vulnerability due to improper validation of Node name field when creating new cluster or adding existing cluster. ClusterLabs pcs, en versiones anteriores a la 0.9.157, es vulnerable a Cross-Site Scripting (XSS) debido a la validación incorrecta del campo Node name al crear un nuevo clúster o al añadir uno ya existente. • https://bugzilla.redhat.com/show_bug.cgi?id=1428948 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2016-0720 – pcs: Cross-Site Request Forgery in web UI
https://notcve.org/view.php?id=CVE-2016-0720
04 Nov 2016 — Cross-site request forgery (CSRF) vulnerability in pcsd web UI in pcs before 0.9.149. Vulnerabilidad de CSRF en pcsd web UI en pcs en versiones anteriores a 0.9.149. A Cross-Site Request Forgery (CSRF) flaw was found in the pcsd web UI. A remote attacker could provide a specially crafted web page that, when visited by a user with a valid pcsd session, would allow the attacker to trigger requests on behalf of the user, for example removing resources or restarting/removing nodes. The pcs packages provide a co... • http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178261.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.1EPSS: 0%CPEs: 4EXPL: 0CVE-2016-0721 – pcs: cookies are not invalidated upon logout
https://notcve.org/view.php?id=CVE-2016-0721
04 Nov 2016 — Session fixation vulnerability in pcsd in pcs before 0.9.157. Vulnerabilidad de fijación de sesión en pcsd en pcs en versiones anteriores a 0.9.157. It was found that pcsd did not invalidate cookies on the server side when a user logged out. This could potentially allow an attacker to perform session fixation attacks on pcsd. The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. • http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178261.html • CWE-384: Session Fixation •
CVSS: 8.8EPSS: 0%CPEs: 7EXPL: 0CVE-2016-7035 – pacemaker: Privilege escalation due to improper guarding of IPC communication
https://notcve.org/view.php?id=CVE-2016-7035
04 Nov 2016 — An authorization flaw was found in Pacemaker before 1.1.16, where it did not properly guard its IPC interface. An attacker with an unprivileged account on a Pacemaker node could use this flaw to, for example, force the Local Resource Manager daemon to execute a script as root and thereby gain root access on the machine. Se ha detectado un error en Pacemaker en versiones anteriores a la 1.1.6 por el que no protegía correctamente su interfaz IPC. Un atacante con una cuenta sin privilegios en un nodo Pacemaker... • http://rhn.redhat.com/errata/RHSA-2016-2614.html • CWE-285: Improper Authorization •
CVSS: 8.6EPSS: 3%CPEs: 7EXPL: 0CVE-2016-7797 – pacemaker: pacemaker remote nodes vulnerable to hijacking, resulting in a DoS attack
https://notcve.org/view.php?id=CVE-2016-7797
03 Nov 2016 — Pacemaker before 1.1.15, when using pacemaker remote, might allow remote attackers to cause a denial of service (node disconnection) via an unauthenticated connection. Pacemaker en versiones anteriores a 1.1.15, al usar el control remoto de marcapasos, podría permitir a atacantes remotos provocar una denegación de servicio (desconexión de nodo) a través de una conexión no autenticada. It was found that the connection between a pacemaker cluster and a pacemaker_remote node could be shut down using a new unau... • http://bugs.clusterlabs.org/show_bug.cgi?id=5269 • CWE-254: 7PK - Security Features •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2015-1867 – pacemaker: acl read-only access allow role assignment
https://notcve.org/view.php?id=CVE-2015-1867
22 Jul 2015 — Pacemaker before 1.1.13 does not properly evaluate added nodes, which allows remote read-only users to gain privileges via an acl command. Vulnerabilidad en Pacemaker en versiones anteriores a 1.1.13, no evalúa correctamente nodos añadidos, lo que permite a usuarios remotos de sólo lectura obtener privilegios a través de un comando de acl. A flaw was found in the way pacemaker, a cluster resource manager, evaluated added nodes in certain situations. A user with read-only access could potentially assign any ... • http://lists.fedoraproject.org/pipermail/package-announce/2015-November/170610.html • CWE-264: Permissions, Privileges, and Access Controls CWE-863: Incorrect Authorization •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2013-0281 – pacemaker: remote DoS when CIB management is enabled caused by use of blocking sockets
https://notcve.org/view.php?id=CVE-2013-0281
21 Nov 2013 — Pacemaker 1.1.10, when remote Cluster Information Base (CIB) configuration or resource management is enabled, does not limit the duration of connections to the blocking sockets, which allows remote attackers to cause a denial of service (connection blocking). Pacemaker 1.1.10, cuando la configuración o recurso de la administración remota Cluster Information Base (CIB) está activada, no limita la duración de las conexiones hacia los sockets de bloqueo, lo que permite a atacantes remotos provocar una denegaci... • http://rhn.redhat.com/errata/RHSA-2013-1635.html • CWE-399: Resource Management Errors •