Clusterlabs: Security Vulnerabilities
pcs before versions 0.9.164 and 0.10 is vulnerable to a debug parameter removal bypass. REST interface of the pcsd service did not properly remove the pcs debug argument from the /run_pcs query, possibly disclosing sensitive information. A remote attacker with a valid token could use this flaw to elevate their privilege.
CVSS Score
4.3
EPSS Score
0.004
Published
2018-04-12
ClusterLabs pcs before version 0.9.157 is vulnerable to a cross-site scripting vulnerability due to improper validation of Node name field when creating new cluster or adding existing cluster.
CVSS Score
6.1
EPSS Score
0.005
Published
2018-03-12
Cross-site request forgery (CSRF) vulnerability in pcsd web UI in pcs before 0.9.149.
CVSS Score
8.8
EPSS Score
0.004
Published
2017-04-21
Session fixation vulnerability in pcsd in pcs before 0.9.157.
CVSS Score
8.1
EPSS Score
0.004
Published
2017-04-21
Pacemaker before 1.1.15, when using pacemaker remote, might allow remote attackers to cause a denial of service (node disconnection) via an unauthenticated connection.
CVSS Score
7.5
EPSS Score
0.03
Published
2017-03-24
Pacemaker before 1.1.13 does not properly evaluate added nodes, which allows remote read-only users to gain privileges via an acl command.
CVSS Score
7.5
EPSS Score
0.007
Published
2015-08-12
Pacemaker 1.1.10, when remote Cluster Information Base (CIB) configuration or resource management is enabled, does not limit the duration of connections to the blocking sockets, which allows remote attackers to cause a denial of service (connection blocking).
CVSS Score
4.3
EPSS Score
0.007
Published
2013-11-23
Page 3