Vulnerability Details : CVE-2020-25654
An ACL bypass flaw was found in pacemaker. An attacker having a local account on the cluster and in the haclient group could use IPC communication with various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went through the configuration.
Vulnerability category: BypassGain privilege
Products affected by CVE-2020-25654
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:clusterlabs:pacemaker:*:*:*:*:*:*:*:*
- cpe:2.3:a:clusterlabs:pacemaker:*:*:*:*:*:*:*:*
- cpe:2.3:a:clusterlabs:pacemaker:2.0.5:rc1:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-25654
0.29%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 68 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-25654
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.0
|
HIGH | AV:N/AC:L/Au:S/C:C/I:C/A:C |
8.0
|
10.0
|
NIST | |
7.2
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
1.2
|
5.9
|
NIST |
CWE ids for CVE-2020-25654
-
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.Assigned by: secalert@redhat.com (Secondary)
References for CVE-2020-25654
-
https://bugzilla.redhat.com/show_bug.cgi?id=1888191
1888191 – (CVE-2020-25654) CVE-2020-25654 pacemaker: ACL restrictions bypassIssue Tracking;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2021/01/msg00007.html
[SECURITY] [DLA 2519-1] pacemaker security updateMailing List;Third Party Advisory
-
https://security.gentoo.org/glsa/202309-09
Pacemaker: Multiple Vulnerabilities (GLSA 202309-09) — Gentoo security
-
https://seclists.org/oss-sec/2020/q4/83
oss-sec: CVE-2020-25654 pacemaker: ACL restrictions bypassMailing List;Third Party Advisory
-
https://lists.clusterlabs.org/pipermail/users/2020-October/027840.html
[ClusterLabs] FYI: Pacemaker vulnerability CVE-2020-25654Mailing List;Vendor Advisory
Jump to