#VU49118 Improper access control in Pacemaker - CVE-2020-25654
Published: November 24, 2020 / Updated: December 22, 2020
Vulnerability identifier: #VU49118
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-25654
CWE-ID: CWE-284
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Pacemaker
Pacemaker
Software vendor:
ClusterLabs
ClusterLabs
Description
The vulnerability allows a local user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in pacemaker. A local account on the cluster and in the haclient group can use IPC communication with various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went through the configuration.
Remediation
Install updates from vendor's website.