CVE-2020-25654

CVE-2020-25654 affects Pacemaker: an ACL bypass flaw where a local attacker in the haclient group can use IPC to communicate with various daemons and perform tasks disallowed by ACLs. Documented impact includes potential bypass of ACL restrictions via IPC instead of configuration. Multiple adviso...

CVE-2018-16878

CVE-2018-16878 (and related Pacemaker issues) affect Pacemaker up to v2.0.1. Concrete items in connected docs: CVE-2018-16877 (insufficient local IPC client-server authentication enabling local privesc), CVE-2018-16878 (insufficient verification enabling DoS via uncontrolled process preference), ...

CVE-2018-16877

Pacemaker contains several documented vulnerabilities (CVE-2018-16877, CVE-2018-16878, CVE-2019-3885) discussed across multiple advisories. The issues include: a client–server authentication flaw enabling local privilege escalation, an insufficient verification that can cause DoS via uncontrolled...

CVE-2019-3885

CVE-2019-3885 is a use-after-free vulnerability in pacemaker up to and including version 2.0.1 that could cause sensitive information to be leaked via system logs. Connected Nessus/Gentoo/OS advisory entries confirm this flaw alongside other pacemaker issues (e.g., CVEs 2018-16877, 2018-16878, 20...

CVE-2016-7035

CVE-2016-7035 affects Pacemaker prior to 1.1.16, due to an authorization flaw on the IPC interface. An unprivileged local attacker could force the Local Resource Manager daemon to execute a script as root, gaining full euid/root access. The issue is mitigated by upgrading Pacemaker to 1.1.16 or n...

CVE-2013-0281

CVE-2013-0281 affects Pacemaker 1.1.10 when remote CIB configuration or resource management is enabled. The root cause is that remote connections to blocking sockets are not limited in duration, allowing a remote attacker to cause a denial of service by blocking the cluster’s service. Public advi...

CVE-2015-1867

CVE-2015-1867 affects Pacemaker up to version 1.1.13. The flaw arises when evaluating added nodes, enabling remote read-only users to gain privileges via an acl command. MiracleLinux advisories and other Nessus plugins link this CVE to Pacemaker releases up to 1.1.13 (and fixes in that version). ...

CVE-2016-7797

CVE-2016-7797 affects Pacemaker prior to 1.1.15. The issue can allow a remote, unauthenticated attacker (via pacemaker remote) to cause a denial of service resulting in node disconnection. The connected sources corroborate the high-level impact and reference related advisories (e.g., RHSA-2016:25...

CVE-2011-5271

Technical details are not publicly disclosed in the provided documents; no information on affected products, versions, root cause, or fix is included. Monitor for updates.

CVE-2010-2496

The CVE-2010-2496 issue affects stonith-ng in pacemaker and cluster-glue where passwords were passed as command-line parameters. This allowed local attackers to access HA stack passwords and potentially influence cluster operations. A fix is available in cluster-glue 1.0.6 and newer and pacemaker...