CVSS: 8.4EPSS: 0%CPEs: 2EXPL: 0CVE-2022-2735 – pcs: obtaining an authentication token for hacluster user could lead to privilege escalation
https://notcve.org/view.php?id=CVE-2022-2735
A vulnerability was found in the PCS project. This issue occurs due to incorrect permissions on a Unix socket used for internal communication between PCS daemons. A privilege escalation could happen by obtaining an authentication token for a hacluster user. With the "hacluster" token, this flaw allows an attacker to have complete control over the cluster managed by PCS. Se ha encontrado una vulnerabilidad en el proyecto PCS. • https://access.redhat.com/security/cve/CVE-2022-2735 https://bugzilla.redhat.com/show_bug.cgi?id=2116815 https://www.debian.org/security/2022/dsa-5226 https://www.openwall.com/lists/oss-security/2022/09/01/4 • CWE-276: Incorrect Default Permissions •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 1CVE-2022-1049 – pcs: improper authentication via PAM
https://notcve.org/view.php?id=CVE-2022-1049
A flaw was found in the Pacemaker configuration tool (pcs). The pcs daemon was allowing expired accounts, and accounts with expired passwords to login when using PAM authentication. Therefore, unprivileged expired accounts that have been denied access could still login. Se encontró un fallo en la herramienta de configuración de Pacemaker (pcs). El demonio pcs permitía que las cuentas caducadas y las cuentas con contraseñas caducadas iniciaran sesión cuando era usada la autenticación PAM. • https://huntr.dev/bounties/7aa921fc-a568-4fd8-96f4-7cd826246aa5 https://lists.debian.org/debian-lts-announce/2022/09/msg00017.html https://www.debian.org/security/2022/dsa-5226 https://access.redhat.com/security/cve/CVE-2022-1049 https://bugzilla.redhat.com/show_bug.cgi?id=2066629 • CWE-287: Improper Authentication •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-2661
https://notcve.org/view.php?id=CVE-2017-2661
ClusterLabs pcs before version 0.9.157 is vulnerable to a cross-site scripting vulnerability due to improper validation of Node name field when creating new cluster or adding existing cluster. ClusterLabs pcs, en versiones anteriores a la 0.9.157, es vulnerable a Cross-Site Scripting (XSS) debido a la validación incorrecta del campo Node name al crear un nuevo clúster o al añadir uno ya existente. • https://bugzilla.redhat.com/show_bug.cgi?id=1428948 https://github.com/ClusterLabs/pcs/commit/1874a769b5720ae5430f10c6cedd234430bc703f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2016-0720 – pcs: Cross-Site Request Forgery in web UI
https://notcve.org/view.php?id=CVE-2016-0720
Cross-site request forgery (CSRF) vulnerability in pcsd web UI in pcs before 0.9.149. Vulnerabilidad de CSRF en pcsd web UI en pcs en versiones anteriores a 0.9.149. A Cross-Site Request Forgery (CSRF) flaw was found in the pcsd web UI. A remote attacker could provide a specially crafted web page that, when visited by a user with a valid pcsd session, would allow the attacker to trigger requests on behalf of the user, for example removing resources or restarting/removing nodes. • http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178261.html http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178384.html http://rhn.redhat.com/errata/RHSA-2016-2596.html http://www.securityfocus.com/bid/97984 https://bugzilla.redhat.com/show_bug.cgi?id=1299614 https://github.com/ClusterLabs/pcs/commit/b9e7f061788c3b86a0c67d2d4158f067ec5eb625 https://access.redhat.com/security/cve/CVE-2016-0720 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.1EPSS: 0%CPEs: 4EXPL: 0CVE-2016-0721 – pcs: cookies are not invalidated upon logout
https://notcve.org/view.php?id=CVE-2016-0721
Session fixation vulnerability in pcsd in pcs before 0.9.157. Vulnerabilidad de fijación de sesión en pcsd en pcs en versiones anteriores a 0.9.157. It was found that pcsd did not invalidate cookies on the server side when a user logged out. This could potentially allow an attacker to perform session fixation attacks on pcsd. • http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178261.html http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178384.html http://rhn.redhat.com/errata/RHSA-2016-2596.html http://www.securityfocus.com/bid/97977 https://bugzilla.redhat.com/show_bug.cgi?id=1299615 https://github.com/ClusterLabs/pcs/commit/acdbbe8307e6f4a36b2c7754765e732e43fe8d17 https://github.com/ClusterLabs/pcs/commit/bc6ad9086857559db57f4e3e6de66762291c0774 https://github.com/ClusterLabs/pcs/commit/e9b28833d54a47ec441f6 • CWE-384: Session Fixation •