An ACL bypass flaw was found in pacemaker. An attacker having a local account on the cluster and in the haclient group could use IPC communication with various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went through the configuration.
References
Link | Resource |
---|---|
https://bugzilla.redhat.com/show_bug.cgi?id=1888191 | Issue Tracking Third Party Advisory |
https://lists.clusterlabs.org/pipermail/users/2020-October/027840.html | Mailing List Vendor Advisory |
https://lists.debian.org/debian-lts-announce/2021/01/msg00007.html | Mailing List Third Party Advisory |
https://seclists.org/oss-sec/2020/q4/83 | Mailing List Third Party Advisory |
https://security.gentoo.org/glsa/202309-09 |
Configurations
History
29 Sep 2023, 11:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
CWE | NVD-CWE-Other |
04 Mar 2021, 20:48
Type | Values Removed | Values Added |
---|---|---|
References | (MLIST) https://lists.debian.org/debian-lts-announce/2021/01/msg00007.html - Mailing List, Third Party Advisory | |
CPE | cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* | |
CWE |
07 Jan 2021, 01:15
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-284 | |
References |
|
Information
Published : 2020-11-24 20:15
Updated : 2023-12-10 13:41
NVD link : CVE-2020-25654
Mitre link : CVE-2020-25654
CVE.ORG link : CVE-2020-25654
JSON object : View
Products Affected
clusterlabs
- pacemaker
debian
- debian_linux
CWE