Vulnerability-Lookup

alsa-2020:5487

Vulnerability from osv_almalinux

Published

2020-12-15 16:01

Modified

2021-08-11 11:18

Summary

Moderate: pacemaker security update

Details

The Pacemaker cluster resource manager is a collection of technologies working together to maintain data integrity and application availability in the event of failures.

Security Fix(es):

pacemaker: ACL restrictions bypass (CVE-2020-25654)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "pacemaker"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.4-6.el8_3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "pacemaker-cli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.4-6.el8_3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "pacemaker-cts"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.4-6.el8_3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "pacemaker-doc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.4-6.el8_3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "pacemaker-libs-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.4-6.el8_3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "pacemaker-nagios-plugins-metadata"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.4-6.el8_3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "pacemaker-remote"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.4-6.el8_3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "The Pacemaker cluster resource manager is a collection of technologies working together to maintain data integrity and application availability in the event of failures. \n\nSecurity Fix(es):\n\n* pacemaker: ACL restrictions bypass (CVE-2020-25654)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
  "id": "ALSA-2020:5487",
  "modified": "2021-08-11T11:18:28Z",
  "published": "2020-12-15T16:01:26Z",
  "references": [
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2020-25654"
    }
  ],
  "related": [
    "CVE-2020-25654"
  ],
  "summary": "Moderate: pacemaker security update"
}

CVE-2020-25654 (GCVE-0-2020-25654)

Vulnerability from cvelistv5 – Published: 2020-11-24 00:00 – Updated: 2024-08-04 15:40

Summary

An ACL bypass flaw was found in pacemaker. An attacker having a local account on the cluster and in the haclient group could use IPC communication with various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went through the configuration.

Severity ?

No CVSS data available.

CWE

CWE-284

Assigner

redhat

References

URL

Tags

	https://bugzilla.redhat.com/show_bug.cgi?id=1888191
	https://seclists.org/oss-sec/2020/q4/83
	https://lists.clusterlabs.org/pipermail/users/202…
	https://lists.debian.org/debian-lts-announce/2021…	mailing-list
	https://security.gentoo.org/glsa/202309-09	vendor-advisory

Impacted products

	Vendor	Product	Version
	n/a	pacemaker	Affected: pacemaker 1.1.24-rc1, pacemaker 2.0.5-rc2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T15:40:36.912Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1888191"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://seclists.org/oss-sec/2020/q4/83"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.clusterlabs.org/pipermail/users/2020-October/027840.html"
          },
          {
            "name": "[debian-lts-announce] 20210106 [SECURITY] [DLA 2519-1] pacemaker security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00007.html"
          },
          {
            "name": "GLSA-202309-09",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202309-09"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "pacemaker",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "pacemaker 1.1.24-rc1, pacemaker 2.0.5-rc2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An ACL bypass flaw was found in pacemaker. An attacker having a local account on the cluster and in the haclient group could use IPC communication with various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went through the configuration."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-09-29T10:06:23.913Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1888191"
        },
        {
          "url": "https://seclists.org/oss-sec/2020/q4/83"
        },
        {
          "url": "https://lists.clusterlabs.org/pipermail/users/2020-October/027840.html"
        },
        {
          "name": "[debian-lts-announce] 20210106 [SECURITY] [DLA 2519-1] pacemaker security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00007.html"
        },
        {
          "name": "GLSA-202309-09",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202309-09"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2020-25654",
    "datePublished": "2020-11-24T00:00:00.000Z",
    "dateReserved": "2020-09-16T00:00:00.000Z",
    "dateUpdated": "2024-08-04T15:40:36.912Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted