CVE-2010-2496
First published: Mon Oct 18 2021(Updated: )
stonith-ng in pacemaker and cluster-glue passed passwords as commandline parameters, making it possible for local attackers to gain access to passwords of the HA stack and potentially influence its operations. This is fixed in cluster-glue 1.0.6 and newer, and pacemaker 1.1.3 and newer.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Clusterlabs Cluster Glue | <1.0.6 | |
| Clusterlabs Pacemaker | <1.1.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2010-2496?
CVE-2010-2496 is a vulnerability in stonith-ng in pacemaker and cluster-glue that allows local attackers to gain access to passwords of the HA stack and potentially influence its operations.
How does CVE-2010-2496 impact my system?
CVE-2010-2496 allows local attackers to obtain passwords and potentially manipulate the operations of the HA stack.
Is there a fix for CVE-2010-2496?
Yes, the vulnerability is fixed in cluster-glue version 1.0.6 and newer, and pacemaker version 1.1.3 and newer.
What is the severity of CVE-2010-2496?
CVE-2010-2496 has a severity rating of medium with a CVSS score of 5.5.
What is CWE-287?
CWE-287 is a weakness related to the improper authentication or handling of credentials, which is the underlying cause of CVE-2010-2496.
- collector/nvd-historical
- collector/nvd-index
- agent/weakness
- agent/type
- agent/references
- agent/severity
- agent/author
- agent/tags
- agent/description
- agent/event
- agent/last-modified-date
- agent/remedy
- agent/softwarecombine
- agent/first-publish-date
- vendor/clusterlabs
- canonical/clusterlabs cluster glue
- canonical/clusterlabs pacemaker