CVE-2018-1086
MEDIUMPacemaker Command Line Interface - Privilege Escalation via Debug Parameter Bypass
Title source: llmDescription
pcs before versions 0.9.164 and 0.10 is vulnerable to a debug parameter removal bypass. REST interface of the pcsd service did not properly remove the pcs debug argument from the /run_pcs query, possibly disclosing sensitive information. A remote attacker with a valid token could use this flaw to elevate their privilege.
References (4)
Core 4
Core References
Issue Tracking, Third Party Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1086
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:1060
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:1927
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2018/dsa-4169
Scores
CVSS v3
4.3
EPSS
0.0165
EPSS Percentile
73.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-20
CWE-200
Status
published
Products (5)
clusterlabs/pacemaker_command_line_interface
0.9.164
clusterlabs/pacemaker_command_line_interface
0.10
debian/debian_linux
9.0
redhat/enterprise_linux_server_eus
7.5
redhat/enterprise_linux_server_eus
7.6
Published
Apr 12, 2018
Tracked Since
Feb 18, 2026