Candidate: CVE-2018-1086
PublicDate: 2018-04-12 16:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1086
 http://www.openwall.com/lists/oss-security/2018/04/09/2
Description:
 pcs before versions 0.9.164 and 0.10 is vulnerable to a debug parameter
 removal bypass. REST interface of the pcsd service did not properly remove
 the pcs debug argument from the /run_pcs query, possibly disclosing
 sensitive information. A remote attacker with a valid token could use this
 flaw to elevate their privilege.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895313
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N [7.5 HIGH]


Patches_pcs:
upstream_pcs: released (0.9.164-1)
precise/esm_pcs: DNE
trusty_pcs: DNE
trusty/esm_pcs: DNE
xenial_pcs: ignored (end of standard support, was needed)
artful_pcs: ignored (reached end-of-life)
bionic_pcs: not-affected (0.9.164-1)
cosmic_pcs: ignored (reached end-of-life)
disco_pcs: not-affected (0.10.1-2)
eoan_pcs: not-affected (0.10.1-2)
focal_pcs: not-affected (0.10.1-2)
groovy_pcs: not-affected (0.10.1-2)
hirsute_pcs: not-affected (0.10.1-2)
impish_pcs: not-affected (0.10.1-2)
jammy_pcs: not-affected (0.10.1-2)
devel_pcs: not-affected (0.10.1-2)