CVE-2018-1086
pcs: Debug parameter removal bypass, allowing information disclosure
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
pcs before versions 0.9.164 and 0.10 is vulnerable to a debug parameter removal bypass. REST interface of the pcsd service did not properly remove the pcs debug argument from the /run_pcs query, possibly disclosing sensitive information. A remote attacker with a valid token could use this flaw to elevate their privilege.
pcs, en versiones anteriores a la 0.9.164 y 0.10, es vulnerable a una omisión de eliminación de un parámetro de depuración. La interfaz REST del servicio pcsd no eliminó correctamente el argumento pcs de depuración de la consulta /run_pcs, lo que podría haber revelado información sensible. Un atacante remoto con un token válido podría emplear este error para elevar sus privilegios.
It was found that the REST interface of the pcsd service did not properly remove the pcs debug argument from the /run_pcs query, possibly disclosing sensitive information. A remote attacker with a valid token could use this flaw to elevate their privilege.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-12-04 CVE Reserved
- 2018-04-11 CVE Published
- 2024-07-16 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
References (6)
URL | Tag | Source |
---|---|---|
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1086 | Issue Tracking |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://access.redhat.com/errata/RHSA-2018:1060 | 2019-10-09 | |
https://access.redhat.com/errata/RHSA-2018:1927 | 2019-10-09 | |
https://www.debian.org/security/2018/dsa-4169 | 2019-10-09 | |
https://access.redhat.com/security/cve/CVE-2018-1086 | 2018-06-19 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1557366 | 2018-06-19 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Clusterlabs Search vendor "Clusterlabs" | Pacemaker Command Line Interface Search vendor "Clusterlabs" for product "Pacemaker Command Line Interface" | 0.9.164 Search vendor "Clusterlabs" for product "Pacemaker Command Line Interface" and version "0.9.164" | - |
Affected
| ||||||
Clusterlabs Search vendor "Clusterlabs" | Pacemaker Command Line Interface Search vendor "Clusterlabs" for product "Pacemaker Command Line Interface" | 0.10 Search vendor "Clusterlabs" for product "Pacemaker Command Line Interface" and version "0.10" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Enterprise Linux Server Eus Search vendor "Redhat" for product "Enterprise Linux Server Eus" | 7.5 Search vendor "Redhat" for product "Enterprise Linux Server Eus" and version "7.5" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Enterprise Linux Server Eus Search vendor "Redhat" for product "Enterprise Linux Server Eus" | 7.6 Search vendor "Redhat" for product "Enterprise Linux Server Eus" and version "7.6" | - |
Affected
|