CVSS: 9.0EPSS: 0%CPEs: 4EXPL: 0CVE-2020-25654 – pacemaker: ACL restrictions bypass
https://notcve.org/view.php?id=CVE-2020-25654
09 Nov 2020 — An ACL bypass flaw was found in pacemaker. An attacker having a local account on the cluster and in the haclient group could use IPC communication with various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went through the configuration. Se encontró un fallo de omisión de ACL en pacemaker. Un atacante que tenga una cuenta local en el clúster y en el grupo haclient podría usar la comunicación IPC con varios demonios directamente para llevar a cabo determina... • https://bugzilla.redhat.com/show_bug.cgi?id=1888191 • CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2019-3885 – pacemaker: Information disclosure through use-after-free
https://notcve.org/view.php?id=CVE-2019-3885
18 Apr 2019 — A use-after-free flaw was found in pacemaker up to and including version 2.0.1 which could result in certain sensitive information to be leaked via the system logs. En el software Pacemaker hasta la versión 2.0.1 inclusive, se encontró un defecto de uso que podía provocar la filtración de cierta información sensible a través de los registros del sistema. A use-after-free flaw was found in pacemaker which could result in certain sensitive information to be leaked via the system logs. Jan Pokorný discovered t... • http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00034.html • CWE-416: Use After Free •
CVSS: 8.8EPSS: 0%CPEs: 22EXPL: 0CVE-2018-16877 – pacemaker: Insufficient local IPC client-server authentication on the client's side can lead to local privesc
https://notcve.org/view.php?id=CVE-2018-16877
18 Apr 2019 — A flaw was found in the way pacemaker's client-server authentication was implemented in versions up to and including 2.0.0. A local attacker could use this flaw, and combine it with other IPC weaknesses, to achieve local privilege escalation. Se encontró un fallo en la forma en que se implementó la autenticación cliente-servidor del software Pacemaker, en versiones hasta la 2.0.0 inclusive. Un atacante local podría utilizar este fallo, y combinarlo con otras debilidades del IPC, para lograr una escalada de ... • http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00012.html • CWE-287: Improper Authentication •
CVSS: 6.2EPSS: 0%CPEs: 22EXPL: 0CVE-2018-16878 – pacemaker: Insufficient verification inflicted preference of uncontrolled processes can lead to DoS
https://notcve.org/view.php?id=CVE-2018-16878
18 Apr 2019 — A flaw was found in pacemaker up to and including version 2.0.1. An insufficient verification inflicted preference of uncontrolled processes can lead to DoS Se encontró un fallo en el software Pacemaker hasta la versión 2.0.1 inclusive. Una verificación insuficiente de los procesos preferentes no controlados puede llevar a una condición de denegación de servicios (DoS). A flaw was found in pacemaker. An insufficient verification inflicted preference of uncontrolled processes can lead to DoS. • http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00012.html • CWE-400: Uncontrolled Resource Consumption •
CVSS: 8.8EPSS: 0%CPEs: 7EXPL: 0CVE-2016-7035 – pacemaker: Privilege escalation due to improper guarding of IPC communication
https://notcve.org/view.php?id=CVE-2016-7035
04 Nov 2016 — An authorization flaw was found in Pacemaker before 1.1.16, where it did not properly guard its IPC interface. An attacker with an unprivileged account on a Pacemaker node could use this flaw to, for example, force the Local Resource Manager daemon to execute a script as root and thereby gain root access on the machine. Se ha detectado un error en Pacemaker en versiones anteriores a la 1.1.6 por el que no protegía correctamente su interfaz IPC. Un atacante con una cuenta sin privilegios en un nodo Pacemaker... • http://rhn.redhat.com/errata/RHSA-2016-2614.html • CWE-285: Improper Authorization •
CVSS: 8.6EPSS: 3%CPEs: 7EXPL: 0CVE-2016-7797 – pacemaker: pacemaker remote nodes vulnerable to hijacking, resulting in a DoS attack
https://notcve.org/view.php?id=CVE-2016-7797
03 Nov 2016 — Pacemaker before 1.1.15, when using pacemaker remote, might allow remote attackers to cause a denial of service (node disconnection) via an unauthenticated connection. Pacemaker en versiones anteriores a 1.1.15, al usar el control remoto de marcapasos, podría permitir a atacantes remotos provocar una denegación de servicio (desconexión de nodo) a través de una conexión no autenticada. It was found that the connection between a pacemaker cluster and a pacemaker_remote node could be shut down using a new unau... • http://bugs.clusterlabs.org/show_bug.cgi?id=5269 • CWE-254: 7PK - Security Features •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2015-1867 – pacemaker: acl read-only access allow role assignment
https://notcve.org/view.php?id=CVE-2015-1867
22 Jul 2015 — Pacemaker before 1.1.13 does not properly evaluate added nodes, which allows remote read-only users to gain privileges via an acl command. Vulnerabilidad en Pacemaker en versiones anteriores a 1.1.13, no evalúa correctamente nodos añadidos, lo que permite a usuarios remotos de sólo lectura obtener privilegios a través de un comando de acl. A flaw was found in the way pacemaker, a cluster resource manager, evaluated added nodes in certain situations. A user with read-only access could potentially assign any ... • http://lists.fedoraproject.org/pipermail/package-announce/2015-November/170610.html • CWE-264: Permissions, Privileges, and Access Controls CWE-863: Incorrect Authorization •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2013-0281 – pacemaker: remote DoS when CIB management is enabled caused by use of blocking sockets
https://notcve.org/view.php?id=CVE-2013-0281
21 Nov 2013 — Pacemaker 1.1.10, when remote Cluster Information Base (CIB) configuration or resource management is enabled, does not limit the duration of connections to the blocking sockets, which allows remote attackers to cause a denial of service (connection blocking). Pacemaker 1.1.10, cuando la configuración o recurso de la administración remota Cluster Information Base (CIB) está activada, no limita la duración de las conexiones hacia los sockets de bloqueo, lo que permite a atacantes remotos provocar una denegaci... • http://rhn.redhat.com/errata/RHSA-2013-1635.html • CWE-399: Resource Management Errors •