PublicDateAtUSN: 2020-10-27
Candidate: CVE-2020-25654
PublicDate: 2020-11-24 20:15:00 UTC
References: 
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25654
 https://lists.clusterlabs.org/pipermail/developers/2020-October/002324.html
 https://www.openwall.com/lists/oss-security/2020/10/27/1
 https://ubuntu.com/security/notices/USN-4623-1
Description:
 An ACL bypass flaw was found in pacemaker. An attacker having a local
 account on the cluster and in the haclient group could use IPC
 communication with various daemons directly to perform certain tasks that
 they would be prevented by ACLs from doing if they went through the
 configuration.
Ubuntu-Description: 
Notes: 
Mitigation: 
Bugs: 
 https://bugzilla.redhat.com/show_bug.cgi?id=1888191
Priority: medium
Discovered-by: Ken Gaillot
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H [7.2 HIGH]


Patches_pacemaker:
upstream_pacemaker: needs-triage
precise/esm_pacemaker: DNE
trusty_pacemaker: ignored (out of standard support)
trusty/esm_pacemaker: DNE
xenial_pacemaker: released (1.1.14-2ubuntu1.9)
esm-infra/xenial_pacemaker: released (1.1.14-2ubuntu1.9)
bionic_pacemaker: released (1.1.18-0ubuntu1.3)
focal_pacemaker: released (2.0.3-3ubuntu4.1)
groovy_pacemaker: released (2.0.4-2ubuntu3.1)
devel_pacemaker: released (2.0.4-2ubuntu3.1)