What is the vulnerability ID of this security flaw?

The vulnerability ID is CVE-2020-25654.

What is the severity level of CVE-2020-25654?

The severity level of CVE-2020-25654 is critical with a CVSS score of 7.2.

What is the affected software for CVE-2020-25654?

The affected software for CVE-2020-25654 is Clusterlabs Pacemaker versions up to and including 1.1.23, versions between 2.0.0 and 2.0.3, and version 2.0.5-rc1. It also affects Debian Debian Linux version 9.0.

How can an attacker exploit CVE-2020-25654?

An attacker with a local account on the cluster and in the haclient group can use IPC communication with various daemons to directly perform certain tasks that would be prevented if they had gone through configured ACLs.

What is the fix for CVE-2020-25654?

The fix for CVE-2020-25654 is to upgrade to Clusterlabs Pacemaker version 1.1.24 or later, or version 2.0.5 or later. For Debian Debian Linux, update to version 9.0 or later.

Vulnerability/
CVE-2020-25654

critical

CWE

284

14/10/2020

27/10/2020

29/9/2023

CVE-2020-25654

First published: Wed Oct 14 2020(Updated: )

An ACL bypass flaw was found in pacemaker. An attacker having a local account on the cluster and in the haclient group could use IPC communication with various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went through the configuration.

Credit: secalert@redhat.com secalert@redhat.com

Affected Software	Affected Version	How to fix
redhat/pacemaker	<1.1.24	1.1.24
redhat/pacemaker	<2.0.5	2.0.5
redhat/pacemaker	<0:1.1.23-1.el7_9.1	0:1.1.23-1.el7_9.1
redhat/pacemaker	<0:2.0.4-6.el8_3.1	0:2.0.4-6.el8_3.1
redhat/pacemaker	<0:2.0.3-5.el8_2.3	0:2.0.3-5.el8_2.3
Clusterlabs Pacemaker	<1.1.23
Clusterlabs Pacemaker	>=2.0.0<2.0.3
Clusterlabs Pacemaker	=2.0.5-rc1
Debian Debian Linux	=9.0

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

What is the vulnerability ID of this security flaw?
The vulnerability ID is CVE-2020-25654.
What is the severity level of CVE-2020-25654?
The severity level of CVE-2020-25654 is critical with a CVSS score of 7.2.
What is the affected software for CVE-2020-25654?
The affected software for CVE-2020-25654 is Clusterlabs Pacemaker versions up to and including 1.1.23, versions between 2.0.0 and 2.0.3, and version 2.0.5-rc1. It also affects Debian Debian Linux version 9.0.
How can an attacker exploit CVE-2020-25654?
An attacker with a local account on the cluster and in the haclient group can use IPC communication with various daemons to directly perform certain tasks that would be prevented if they had gone through configured ACLs.
What is the fix for CVE-2020-25654?
The fix for CVE-2020-25654 is to upgrade to Clusterlabs Pacemaker version 1.1.24 or later, or version 2.0.5 or later. For Debian Debian Linux, update to version 9.0 or later.

collector/redhat-bugzilla
source/Red Hat
alias/CVE-2020-25654
collector/redhat-cve
collector/nvd-api
collector/nvd-index
agent/software-canonical-lookup
agent/author
agent/description
agent/event
agent/first-publish-date
agent/last-modified-date
agent/references
agent/severity
agent/softwarecombine
agent/tags
agent/type
agent/weakness
package-manager/redhat
vendor/clusterlabs
canonical/clusterlabs pacemaker
version/clusterlabs pacemaker/2.0.0
version/clusterlabs pacemaker/2.0.5-rc1
vendor/debian
canonical/debian debian linux
version/debian debian linux/9.0