CVE-2010-2496
Published: 18 October 2021
stonith-ng in pacemaker and cluster-glue passed passwords as commandline parameters, making it possible for local attackers to gain access to passwords of the HA stack and potentially influence its operations. This is fixed in cluster-glue 1.0.6 and newer, and pacemaker 1.1.3 and newer.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
cluster-glue Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(1.0.12-7build1)
|
| focal |
Not vulnerable
|
|
| groovy |
Not vulnerable
|
|
| hirsute |
Not vulnerable
|
|
| impish |
Not vulnerable
|
|
| jammy |
Not vulnerable
|
|
| kinetic |
Not vulnerable
|
|
| lunar |
Not vulnerable
|
|
| trusty |
Not vulnerable
|
|
| upstream |
Released
(1.0.6-1)
|
|
| xenial |
Not vulnerable
|
|
|
pacemaker Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(1.1.18-0ubuntu1.3)
|
| focal |
Not vulnerable
|
|
| groovy |
Not vulnerable
|
|
| hirsute |
Not vulnerable
|
|
| impish |
Not vulnerable
|
|
| jammy |
Not vulnerable
|
|
| kinetic |
Not vulnerable
|
|
| lunar |
Not vulnerable
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(1.1.13-1)
|
|
| xenial |
Not vulnerable
(1.1.14-2ubuntu1)
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.5 |
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
References
- https://bugzilla.suse.com/show_bug.cgi?id=620781
- https://github.com/ClusterLabs/cluster-glue/commit/3d7b464439ee0271da76e0ee9480f3dc14005879 (glue-1.0.6)
- https://github.com/ClusterLabs/pacemaker/commit/7901f43c5800374d41ae2287fe122692fe045664 (Pacemaker-1.1.3)
- https://www.cve.org/CVERecord?id=CVE-2010-2496
- NVD
- Launchpad
- Debian