CVE-2018-1086

MEDIUM

Pacemaker Command Line Interface - Privilege Escalation via Debug Parameter Bypass

Title source: llm
STIX 2.1

Description

pcs before versions 0.9.164 and 0.10 is vulnerable to a debug parameter removal bypass. REST interface of the pcsd service did not properly remove the pcs debug argument from the /run_pcs query, possibly disclosing sensitive information. A remote attacker with a valid token could use this flaw to elevate their privilege.

References (4)

Core 4
Core References
Issue Tracking, Third Party Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1086
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:1060
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:1927
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2018/dsa-4169

Scores

CVSS v3 4.3
EPSS 0.0165
EPSS Percentile 73.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Details

CWE
CWE-20 CWE-200
Status published
Products (5)
clusterlabs/pacemaker_command_line_interface 0.9.164
clusterlabs/pacemaker_command_line_interface 0.10
debian/debian_linux 9.0
redhat/enterprise_linux_server_eus 7.5
redhat/enterprise_linux_server_eus 7.6
Published Apr 12, 2018
Tracked Since Feb 18, 2026