Vulnerability CVE-2020-25654: Information

Description

An ACL bypass flaw was found in pacemaker. An attacker having a local account on the cluster and in the haclient group could use IPC communication with various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went through the configuration.

Severity: HIGH (7.2) Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2020-25654
Published: Nov. 24, 2020
Modified: Sept. 29, 2023

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
pacemakersisyphus2.0.3-alt12.1.7-alt1ALT-PU-2019-3344-1243228Fixed
pacemakersisyphus_riscv642.1.2-alt12.1.7-alt1ALT-PU-2021-4437-1-Fixed
pacemakerp102.1.0-alt12.1.6-alt1ALT-PU-2021-2323-1280649Fixed
pacemakerp92.0.3-alt22.1.1-alt1ALT-PU-2020-2041-1252090Fixed
pacemakerc10f12.1.0-alt12.1.5-alt1ALT-PU-2021-2323-1280649Fixed
pacemakerc9f22.1.0-alt12.1.1-alt1ALT-PU-2021-2347-1280650Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://lists.clusterlabs.org/pipermail/users/2020-October/027840.html
  • Mailing List
  • Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1888191
  • Issue Tracking
  • Third Party Advisory
https://seclists.org/oss-sec/2020/q4/83
  • Mailing List
  • Third Party Advisory
[debian-lts-announce] 20210106 [SECURITY] [DLA 2519-1] pacemaker security update
  • Mailing List
  • Third Party Advisory
GLSA-202309-09

      1. Configuration 1

        cpe:2.3:a:clusterlabs:pacemaker:2.0.5:rc1:*:*:*:*:*:*
        cpe:2.3:a:clusterlabs:pacemaker:*:*:*:*:*:*:*:*
        End excliding
        1.1.23
        cpe:2.3:a:clusterlabs:pacemaker:*:*:*:*:*:*:*:*
        Start including
        2.0.0
        End excliding
        2.0.3

        Configuration 2

        cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
    VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
    Version: v24.5.1
    Back to top