CVE-2015-1867
pacemaker: acl read-only access allow role assignment
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Pacemaker before 1.1.13 does not properly evaluate added nodes, which allows remote read-only users to gain privileges via an acl command.
Vulnerabilidad en Pacemaker en versiones anteriores a 1.1.13, no evalúa correctamente nodos añadidos, lo que permite a usuarios remotos de sólo lectura obtener privilegios a través de un comando de acl.
A flaw was found in the way pacemaker, a cluster resource manager, evaluated added nodes in certain situations. A user with read-only access could potentially assign any other existing roles to themselves and then add privileges to other users as well.
The Pacemaker Resource Manager is a collection of technologies working together to provide data integrity and the ability to maintain application availability in the event of a failure. A flaw was found in the way pacemaker, a cluster resource manager, evaluated added nodes in certain situations. A user with read-only access could potentially assign any other existing roles to themselves and then add privileges to other users as well. The pacemaker packages have been upgraded to upstream version 1.1.13, which provides a number of bug fixes and enhancements over the previous version.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2015-02-17 CVE Reserved
- 2015-07-22 CVE Published
- 2024-08-06 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-264: Permissions, Privileges, and Access Controls
- CWE-863: Incorrect Authorization
CAPEC
References (10)
| URL | Tag | Source |
|---|---|---|
| http://www.securityfocus.com/bid/74231 | Third Party Advisory | |
| https://github.com/ClusterLabs/pacemaker/commit/84ac07c | X_refsource_confirm |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Redhat Search vendor "Redhat" | Enterprise Linux High Availability Search vendor "Redhat" for product "Enterprise Linux High Availability" | 6.0 Search vendor "Redhat" for product "Enterprise Linux High Availability" and version "6.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux High Availability Search vendor "Redhat" for product "Enterprise Linux High Availability" | 7.0 Search vendor "Redhat" for product "Enterprise Linux High Availability" and version "7.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Resilient Storage Search vendor "Redhat" for product "Enterprise Linux Resilient Storage" | 6.0 Search vendor "Redhat" for product "Enterprise Linux Resilient Storage" and version "6.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Resilient Storage Search vendor "Redhat" for product "Enterprise Linux Resilient Storage" | 7.0 Search vendor "Redhat" for product "Enterprise Linux Resilient Storage" and version "7.0" | - |
Affected
| ||||||
| Clusterlabs Search vendor "Clusterlabs" | Pacemaker Search vendor "Clusterlabs" for product "Pacemaker" | <= 1.1.12 Search vendor "Clusterlabs" for product "Pacemaker" and version " <= 1.1.12" | - |
Affected
| ||||||