Lucene search

[email protected]CVE-2018-1086

HistoryApr 12, 2018 - 4:29 p.m.

CVE-2018-1086

2018-04-1216:29:00

CWE-200

[email protected]

web.nvd.nist.gov

cve-2018-1086

pcs

debug parameter

rest interface

pcsd service

remote attacker

privilege elevation

security vulnerability

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.3 High

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.006 Low

EPSS

Percentile

77.8%

JSON

pcs before versions 0.9.164 and 0.10 is vulnerable to a debug parameter removal bypass. REST interface of the pcsd service did not properly remove the pcs debug argument from the /run_pcs query, possibly disclosing sensitive information. A remote attacker with a valid token could use this flaw to elevate their privilege.

CPENameOperatorVersion
clusterlabs:pacemaker_command_line_interfaceclusterlabs pacemaker command line interfaceeq0.10
clusterlabs:pacemaker_command_line_interfaceclusterlabs pacemaker command line interfaceeq0.9.164
debian:debian_linuxdebian debian linuxeq9.0
redhat:enterprise_linux_server_eusredhat enterprise linux server euseq7.5
redhat:enterprise_linux_server_eusredhat enterprise linux server euseq7.6

CPE	Name	Operator	Version
clusterlabs:pacemaker_command_line_interface	clusterlabs pacemaker command line interface	eq	0.10
clusterlabs:pacemaker_command_line_interface	clusterlabs pacemaker command line interface	eq	0.9.164
debian:debian_linux	debian debian linux	eq	9.0
redhat:enterprise_linux_server_eus	redhat enterprise linux server eus	eq	7.5
redhat:enterprise_linux_server_eus	redhat enterprise linux server eus	eq	7.6