← Back

CVE-2018-1086

nvd nist
Published: Apr 12, 2018Modified: Nov 21, 2024

JSON object

Loading...
7.5
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Exploitability: 3.9 / Impact: 3.6
Source: NVD

Description

pcs before versions 0.9.164 and 0.10 is vulnerable to a debug parameter removal bypass. REST interface of the pcsd service did not properly remove the pcs debug argument from the /run_pcs query, possibly disclosing sensitive information. A remote attacker with a valid token could use this flaw to elevate their privilege.

Affected (5)

Clusterlabs
1 product
Pacemaker Command Line Interface
Debian
1 product
Debian Linux
Redhat
1 product
Enterprise Linux Server Eus
Configuration A
2 vulnerable
Vulnerable SoftwareAffected Versions
Clusterlabs
Pacemaker Command Line Interface
Version 0.10
Pacemaker Command Line Interface
Version 0.9.164
Configuration B
3 vulnerable
Vulnerable SoftwareAffected Versions
Debian Linux
Version 9.0
Redhat
Enterprise Linux Server Eus
Version 7.5
Enterprise Linux Server Eus
Version 7.6

Related CWEs

CWE-20
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (8)

Source: secalert@redhat.com
Third Party Advisory
Source: secalert@redhat.com
Third Party Advisory
Source: secalert@redhat.com
Issue TrackingThird Party Advisory
Source: secalert@redhat.com
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Issue TrackingThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory

Timeline

No history available yet.