CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-2319 – pcs: webpack: Regression of CVE-2023-28154 fixes in the Red Hat Enterprise Linux
https://notcve.org/view.php?id=CVE-2023-2319
It was discovered that an update for PCS package in RHBA-2023:2151 erratum released as part of Red Hat Enterprise Linux 9.2 failed to include the fix for the Webpack issue CVE-2023-28154 (for PCS package), which was previously addressed in Red Hat Enterprise Linux 9.1 via erratum RHSA-2023:1591. The CVE-2023-2319 was assigned to that Red Hat specific security regression in Red Hat Enterprise Linux 9.2. • https://access.redhat.com/errata/RHSA-2023:2652 https://access.redhat.com/security/cve/CVE-2023-2319 https://bugzilla.redhat.com/show_bug.cgi?id=2190092 •
CVSS: 8.4EPSS: 0%CPEs: 2EXPL: 0CVE-2022-2735 – pcs: obtaining an authentication token for hacluster user could lead to privilege escalation
https://notcve.org/view.php?id=CVE-2022-2735
A vulnerability was found in the PCS project. This issue occurs due to incorrect permissions on a Unix socket used for internal communication between PCS daemons. A privilege escalation could happen by obtaining an authentication token for a hacluster user. With the "hacluster" token, this flaw allows an attacker to have complete control over the cluster managed by PCS. Se ha encontrado una vulnerabilidad en el proyecto PCS. • https://access.redhat.com/security/cve/CVE-2022-2735 https://bugzilla.redhat.com/show_bug.cgi?id=2116815 https://www.debian.org/security/2022/dsa-5226 https://www.openwall.com/lists/oss-security/2022/09/01/4 • CWE-276: Incorrect Default Permissions •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 1CVE-2022-1049 – pcs: improper authentication via PAM
https://notcve.org/view.php?id=CVE-2022-1049
A flaw was found in the Pacemaker configuration tool (pcs). The pcs daemon was allowing expired accounts, and accounts with expired passwords to login when using PAM authentication. Therefore, unprivileged expired accounts that have been denied access could still login. Se encontró un fallo en la herramienta de configuración de Pacemaker (pcs). El demonio pcs permitía que las cuentas caducadas y las cuentas con contraseñas caducadas iniciaran sesión cuando era usada la autenticación PAM. • https://huntr.dev/bounties/7aa921fc-a568-4fd8-96f4-7cd826246aa5 https://lists.debian.org/debian-lts-announce/2022/09/msg00017.html https://www.debian.org/security/2022/dsa-5226 https://access.redhat.com/security/cve/CVE-2022-1049 https://bugzilla.redhat.com/show_bug.cgi?id=2066629 • CWE-287: Improper Authentication •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-2661
https://notcve.org/view.php?id=CVE-2017-2661
ClusterLabs pcs before version 0.9.157 is vulnerable to a cross-site scripting vulnerability due to improper validation of Node name field when creating new cluster or adding existing cluster. ClusterLabs pcs, en versiones anteriores a la 0.9.157, es vulnerable a Cross-Site Scripting (XSS) debido a la validación incorrecta del campo Node name al crear un nuevo clúster o al añadir uno ya existente. • https://bugzilla.redhat.com/show_bug.cgi?id=1428948 https://github.com/ClusterLabs/pcs/commit/1874a769b5720ae5430f10c6cedd234430bc703f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 4EXPL: 0CVE-2016-0721 – pcs: cookies are not invalidated upon logout
https://notcve.org/view.php?id=CVE-2016-0721
Session fixation vulnerability in pcsd in pcs before 0.9.157. Vulnerabilidad de fijación de sesión en pcsd en pcs en versiones anteriores a 0.9.157. It was found that pcsd did not invalidate cookies on the server side when a user logged out. This could potentially allow an attacker to perform session fixation attacks on pcsd. • http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178261.html http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178384.html http://rhn.redhat.com/errata/RHSA-2016-2596.html http://www.securityfocus.com/bid/97977 https://bugzilla.redhat.com/show_bug.cgi?id=1299615 https://github.com/ClusterLabs/pcs/commit/acdbbe8307e6f4a36b2c7754765e732e43fe8d17 https://github.com/ClusterLabs/pcs/commit/bc6ad9086857559db57f4e3e6de66762291c0774 https://github.com/ClusterLabs/pcs/commit/e9b28833d54a47ec441f6 • CWE-384: Session Fixation •