Vulnerability Description
An ACL bypass flaw was found in pacemaker. An attacker having a local account on the cluster and in the haclient group could use IPC communication with various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went through the configuration.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Clusterlabs | Pacemaker | < 1.1.23 |
| Debian | Debian Linux | 9.0 |
Related Weaknesses (CWE)
References
- https://bugzilla.redhat.com/show_bug.cgi?id=1888191Issue TrackingThird Party Advisory
- https://lists.clusterlabs.org/pipermail/users/2020-October/027840.htmlMailing ListVendor Advisory
- https://lists.debian.org/debian-lts-announce/2021/01/msg00007.htmlMailing ListThird Party Advisory
- https://seclists.org/oss-sec/2020/q4/83Mailing ListThird Party Advisory
- https://security.gentoo.org/glsa/202309-09
- https://bugzilla.redhat.com/show_bug.cgi?id=1888191Issue TrackingThird Party Advisory
- https://lists.clusterlabs.org/pipermail/users/2020-October/027840.htmlMailing ListVendor Advisory
- https://lists.debian.org/debian-lts-announce/2021/01/msg00007.htmlMailing ListThird Party Advisory
- https://seclists.org/oss-sec/2020/q4/83Mailing ListThird Party Advisory
- https://security.gentoo.org/glsa/202309-09
FAQ
What is CVE-2020-25654?
CVE-2020-25654 is a vulnerability with a CVSS score of 7.2 (HIGH). An ACL bypass flaw was found in pacemaker. An attacker having a local account on the cluster and in the haclient group could use IPC communication with various daemons directly to perform certain task...
How severe is CVE-2020-25654?
CVE-2020-25654 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-25654?
Check the references section above for vendor advisories and patch information. Affected products include: Clusterlabs Pacemaker, Debian Debian Linux.