CVE-2016-7035
HIGHPacemaker < 1.1.16 - Unauthenticated Privilege Escalation via IPC Interface
Title source: llmDescription
An authorization flaw was found in Pacemaker before 1.1.16, where it did not properly guard its IPC interface. An attacker with an unprivileged account on a Pacemaker node could use this flaw to, for example, force the Local Resource Manager daemon to execute a script as root and thereby gain root access on the machine.
References (8)
Core 8
Core References
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7035
Third Party Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-2614.html
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201710-08
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2016/11/03/5
Third Party Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-2675.html
Mailing List, Vendor Advisory mailing-list
x_refsource_mlist
https://lists.clusterlabs.org/pipermail/users/2016-November/004432.html
Third Party Advisory x_refsource_confirm
https://github.com/ClusterLabs/pacemaker/commit/5d71e65049
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/94214
Scores
CVSS v3
8.8
EPSS
0.0040
EPSS Percentile
31.2%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Details
CWE
CWE-285
Status
published
Products (7)
clusterlabs/pacemaker
< 1.1.16
redhat/enterprise_linux_server
6.0
redhat/enterprise_linux_server
7.0
redhat/enterprise_linux_server_eus
7.3
redhat/enterprise_linux_server_eus
7.4
redhat/enterprise_linux_server_eus
7.5
redhat/enterprise_linux_server_eus
7.6
Published
Sep 10, 2018
Tracked Since
Feb 18, 2026