Latest Clusterlabs Vulnerabilities

CVE-2023-39976
log_blackbox.c in libqb before 2.0.8 allows a buffer overflow via long log messages because the header size is not considered.
ubuntu/libqb<2.0.4-1ubuntu0.2
ubuntu/libqb<2.0.6-2ubuntu0.1
Clusterlabs Libqb<2.0.8
<2.0.8
redhat/libqb<2.0.8
debian/libqb<=2.0.3-1<=2.0.6-2
CVE-2023-2319
The Webpack flaw <a href="https://access.redhat.com/security/cve/CVE-2023-28154">CVE-2023-28154</a> (<a class="bz_bug_link bz_status_CLOSED bz_closed ...
ClusterLabs pcs=0.11.4-6.el9
Redhat Enterprise Linux High Availability=9.0
Redhat Enterprise Linux High Availability Eus=9.2
CVE-2021-3020
An issue was discovered in ClusterLabs Hawk (aka HA Web Konsole) through 2.3.0-15. It ships the binary hawk_invoke (built from tools/hawk_invoke.c), intended to be used as a setuid program. This allow...
ClusterLabs Hawk<=2.3.0-15
CVE-2022-2735
A security issue was discovered in pcs project. It is caused by incorrect permissions on a unix socket used for internal communication between pcs daemons. A privilege escalation could happen by obtai...
debian/pcs<=0.10.8-1<=0.11.3-1
ClusterLabs pcs>=0.10.5<=0.11.3
Debian Debian Linux=11.0
debian/pcs
CVE-2022-2553
The authfile directive in the booth config file is ignored, preventing use of authentication in communications from node to node. As a result, nodes that do not have the correct authentication key are...
debian/booth
Clusterlabs Booth<=1.0
Debian Debian Linux=10.0
Debian Debian Linux=11.0
Fedoraproject Fedora=35
Fedoraproject Fedora=36
CVE-2010-2496
stonith-ng in pacemaker and cluster-glue passed passwords as commandline parameters, making it possible for local attackers to gain access to passwords of the HA stack and potentially influence its op...
Clusterlabs Cluster Glue<1.0.6
Clusterlabs Pacemaker<1.1.3
CVE-2020-35458
An issue was discovered in ClusterLabs Hawk 2.x through 2.3.0-x. There is a Ruby shell code injection issue via the hawk_remember_me_id parameter in the login_from_cookie cookie. The user logout routi...
ClusterLabs Hawk=2.2.0-12
ClusterLabs Hawk=2.3.0-12
CVE-2020-35459
An issue was discovered in ClusterLabs crmsh through 4.2.1. Local attackers able to call "crm history" (when "crm" is run) were able to execute commands via shell code injection to the crm history com...
pip/crmsh<=4.2.1
ClusterLabs crmsh<=4.2.1
Debian Debian Linux=9.0
ubuntu/crmsh<4.2.0-2ubuntu1.1
ubuntu/crmsh<4.2.1-2
ubuntu/crmsh<4.2.1-2
and 1 more
CVE-2020-25654
An ACL bypass flaw was found in pacemaker. An attacker having a local account on the cluster and in the haclient group could use IPC communication with various daemons directly to perform certain task...
redhat/pacemaker<1.1.24
redhat/pacemaker<2.0.5
redhat/pacemaker<0:1.1.23-1.el7_9.1
redhat/pacemaker<0:2.0.4-6.el8_3.1
redhat/pacemaker<0:2.0.3-5.el8_2.3
Clusterlabs Pacemaker<1.1.23
and 3 more
CVE-2014-0104
In fence-agents before 4.0.17 does not verify remote SSL certificates in the fence_cisco_ucs.py script which can potentially allow for man-in-the-middle attackers to spoof SSL servers via arbitrary SS...
Clusterlabs Fence-agents<4.0.17
debian/fence-agents
CVE-2011-5271
Pacemaker before 1.1.6 configure script creates temporary files insecurely
Clusterlabs Pacemaker<1.1.6
debian/pacemaker
CVE-2019-10153
A flaw was discovered in fence-agents, prior to version 4.3.4, where using non-ASCII characters in a guest VM's comment or other fields would cause fence_rhevm to exit with an exception. In cluster en...
redhat/fence-agents<4.3.4
Clusterlabs Fence-agents<4.3.4
Redhat Enterprise Linux=8.0
Redhat Enterprise Linux Server=7.0
Redhat Enterprise Linux Workstation=7.0
CVE-2019-12779
libqb before 1.0.5 allows local users to overwrite arbitrary files via a symlink attack, because it uses predictable filenames (under /dev/shm and /tmp) without O_EXCL.
Clusterlabs Libqb<1.0.5
redhat/libqb<1.0.4
CVE-2019-3885
A use-after-free flaw was found in pacemaker up to and including version 2.0.1 which could result in certain sensitive information to be leaked via the system logs.
redhat/pacemaker<2.0.2
ubuntu/pacemaker<1.1.18-0ubuntu1.1
ubuntu/pacemaker<1.1.18-2ubuntu1.18.10.1
ubuntu/pacemaker<1.1.18-2ubuntu1.19.04.1
ubuntu/pacemaker<1.1.14-2ubuntu1.6
Clusterlabs Pacemaker<=2.0.1
and 12 more
CVE-2018-16878
A flaw was found in pacemaker up to and including version 2.0.1. An insufficient verification inflicted preference of uncontrolled processes can lead to DoS
redhat/pacemaker<2.0.2
ubuntu/pacemaker<1.1.18-0ubuntu1.1
ubuntu/pacemaker<1.1.18-2ubuntu1.18.10.1
ubuntu/pacemaker<1.1.18-2ubuntu1.19.04.1
ubuntu/pacemaker<1.1.14-2ubuntu1.6
Clusterlabs Pacemaker<=2.0.1
and 44 more
CVE-2018-16877
A flaw was found in the way pacemaker's client-server authentication was implemented in versions up to and including 2.0.0. A local attacker could use this flaw, and combine it with other IPC weakness...
redhat/pacemaker<2.0.2
ubuntu/pacemaker<1.1.18-0ubuntu1.1
ubuntu/pacemaker<1.1.18-2ubuntu1.18.10.1
ubuntu/pacemaker<1.1.18-2ubuntu1.19.04.1
ubuntu/pacemaker<1.1.14-2ubuntu1.6
Clusterlabs Pacemaker<=2.0.0
and 44 more
CVE-2016-7035
An authorization flaw was found in Pacemaker before 1.1.16, where it did not properly guard its IPC interface. An attacker with an unprivileged account on a Pacemaker node could use this flaw to, for ...
Clusterlabs Pacemaker<=1.1.16
Redhat Enterprise Linux Server=6.0
Redhat Enterprise Linux Server=7.0
Redhat Enterprise Linux Server Eus=7.3
Redhat Enterprise Linux Server Eus=7.4
Redhat Enterprise Linux Server Eus=7.5
and 1 more

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203