CVSS: 9.0EPSS: 0%CPEs: 4EXPL: 0CVE-2020-25654 – pacemaker: ACL restrictions bypass
https://notcve.org/view.php?id=CVE-2020-25654
An ACL bypass flaw was found in pacemaker. An attacker having a local account on the cluster and in the haclient group could use IPC communication with various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went through the configuration. Se encontró un fallo de omisión de ACL en pacemaker. Un atacante que tenga una cuenta local en el clúster y en el grupo haclient podría usar la comunicación IPC con varios demonios directamente para llevar a cabo determinadas tareas que las ACL no podrían hacer si pasaran por la configuración An ACL bypass flaw was found in Pacemaker. This flaw allows an attacker with a local account on the cluster and in the haclient group to use IPC communication with various daemons to directly perform certain tasks that would be prevented if they had gone through configured ACLs. • https://bugzilla.redhat.com/show_bug.cgi?id=1888191 https://lists.clusterlabs.org/pipermail/users/2020-October/027840.html https://lists.debian.org/debian-lts-announce/2021/01/msg00007.html https://seclists.org/oss-sec/2020/q4/83 https://security.gentoo.org/glsa/202309-09 https://access.redhat.com/security/cve/CVE-2020-25654 • CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 1%CPEs: 6EXPL: 0CVE-2019-3885 – pacemaker: Information disclosure through use-after-free
https://notcve.org/view.php?id=CVE-2019-3885
A use-after-free flaw was found in pacemaker up to and including version 2.0.1 which could result in certain sensitive information to be leaked via the system logs. En el software Pacemaker hasta la versión 2.0.1 inclusive, se encontró un defecto de uso que podía provocar la filtración de cierta información sensible a través de los registros del sistema. A use-after-free flaw was found in pacemaker which could result in certain sensitive information to be leaked via the system logs. • http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00034.html http://www.securityfocus.com/bid/108036 https://access.redhat.com/errata/RHSA-2019:1278 https://access.redhat.com/errata/RHSA-2019:1279 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3885 https://github.com/ClusterLabs/pacemaker/pull/1749 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3GCWFO7GL6MBU6C4BGFO3P6L77DIBBF3 https://lists.fedoraproject.org/archives/list/package-announce&# • CWE-416: Use After Free •
CVSS: 8.8EPSS: 0%CPEs: 22EXPL: 0CVE-2018-16877 – pacemaker: Insufficient local IPC client-server authentication on the client's side can lead to local privesc
https://notcve.org/view.php?id=CVE-2018-16877
A flaw was found in the way pacemaker's client-server authentication was implemented in versions up to and including 2.0.0. A local attacker could use this flaw, and combine it with other IPC weaknesses, to achieve local privilege escalation. Se encontró un fallo en la forma en que se implementó la autenticación cliente-servidor del software Pacemaker, en versiones hasta la 2.0.0 inclusive. Un atacante local podría utilizar este fallo, y combinarlo con otras debilidades del IPC, para lograr una escalada de privilegios locales. A flaw was found in the way pacemaker's client-server authentication was implemented. • http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00012.html http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00034.html http://www.securityfocus.com/bid/108042 https://access.redhat.com/errata/RHSA-2019:1278 https://access.redhat.com/errata/RHSA-2019:1279 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16877 https://github.com/ClusterLabs/pacemaker/pull/1749 https://lists.debian.org/debian-lts-announce/2021/01/msg00007.html https://lists.fedoraprojec • CWE-287: Improper Authentication •
CVSS: 6.2EPSS: 0%CPEs: 22EXPL: 0CVE-2018-16878 – pacemaker: Insufficient verification inflicted preference of uncontrolled processes can lead to DoS
https://notcve.org/view.php?id=CVE-2018-16878
A flaw was found in pacemaker up to and including version 2.0.1. An insufficient verification inflicted preference of uncontrolled processes can lead to DoS Se encontró un fallo en el software Pacemaker hasta la versión 2.0.1 inclusive. Una verificación insuficiente de los procesos preferentes no controlados puede llevar a una condición de denegación de servicios (DoS). A flaw was found in pacemaker. An insufficient verification inflicted preference of uncontrolled processes can lead to DoS. • http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00012.html http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00034.html http://www.securityfocus.com/bid/108039 https://access.redhat.com/errata/RHSA-2019:1278 https://access.redhat.com/errata/RHSA-2019:1279 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16878 https://github.com/ClusterLabs/pacemaker/pull/1749 https://lists.debian.org/debian-lts-announce/2021/01/msg00007.html https://lists.fedoraprojec • CWE-400: Uncontrolled Resource Consumption •
CVSS: 8.8EPSS: 0%CPEs: 7EXPL: 0CVE-2016-7035 – pacemaker: Privilege escalation due to improper guarding of IPC communication
https://notcve.org/view.php?id=CVE-2016-7035
An authorization flaw was found in Pacemaker before 1.1.16, where it did not properly guard its IPC interface. An attacker with an unprivileged account on a Pacemaker node could use this flaw to, for example, force the Local Resource Manager daemon to execute a script as root and thereby gain root access on the machine. Se ha detectado un error en Pacemaker en versiones anteriores a la 1.1.6 por el que no protegía correctamente su interfaz IPC. Un atacante con una cuenta sin privilegios en un nodo Pacemaker podría emplear este error para, por ejemplo, forzar al demonio Local Resource Manager para que ejecute un script como root y, por lo tanto, obtenga acceso root a la máquina An authorization flaw was found in Pacemaker, where it did not properly guard its IPC interface. An attacker with an unprivileged account on a Pacemaker node could use this flaw to, for example, force the Local Resource Manager daemon to execute a script as root and thereby gain root access on the machine. • http://rhn.redhat.com/errata/RHSA-2016-2614.html http://rhn.redhat.com/errata/RHSA-2016-2675.html http://www.openwall.com/lists/oss-security/2016/11/03/5 http://www.securityfocus.com/bid/94214 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7035 https://github.com/ClusterLabs/pacemaker/commit/5d71e65049 https://lists.clusterlabs.org/pipermail/users/2016-November/004432.html https://security.gentoo.org/glsa/201710-08 https://access.redhat.com/security/cve/CVE-2016- • CWE-285: Improper Authorization •