A flaw was found in the way pacemakers client-server authentication was implemented in versions up to and including 2.0.0. A local attacker could use this flaw, and combine it with other IPC weaknesses, to achieve local privilege escalation.
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Pacemaker | Clusterlabs | * | 2.0.0 (including) |
Red Hat Enterprise Linux 7 | RedHat | pacemaker-0:1.1.19-8.el7_6.5 | * |
Red Hat Enterprise Linux 8 | RedHat | pacemaker-0:2.0.1-4.el8_0.3 | * |
Pacemaker | Ubuntu | bionic | * |
Pacemaker | Ubuntu | cosmic | * |
Pacemaker | Ubuntu | devel | * |
Pacemaker | Ubuntu | disco | * |
Pacemaker | Ubuntu | trusty | * |
Pacemaker | Ubuntu | xenial | * |