CVE-2010-2496
Publication date 18 October 2021
Last updated 24 July 2024
Ubuntu priority
stonith-ng in pacemaker and cluster-glue passed passwords as commandline parameters, making it possible for local attackers to gain access to passwords of the HA stack and potentially influence its operations. This is fixed in cluster-glue 1.0.6 and newer, and pacemaker 1.1.3 and newer.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| cluster-glue | ||
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Not affected
|
|
| pacemaker | ||
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty | Not in release |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
5.5 · Medium
|
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
References
Other references
- https://bugzilla.suse.com/show_bug.cgi?id=620781
- https://github.com/ClusterLabs/cluster-glue/commit/3d7b464439ee0271da76e0ee9480f3dc14005879 (glue-1.0.6)
- https://github.com/ClusterLabs/pacemaker/commit/7901f43c5800374d41ae2287fe122692fe045664 (Pacemaker-1.1.3)
- https://www.cve.org/CVERecord?id=CVE-2010-2496