CVE-2018-16877

HIGH

Pacemaker <2.0.0 - Privilege Escalation

Title source: llm
STIX 2.1

Description

A flaw was found in the way pacemaker's client-server authentication was implemented in versions up to and including 2.0.0. A local attacker could use this flaw, and combine it with other IPC weaknesses, to achieve local privilege escalation.

References (13)

Core 13
Core References
Issue Tracking, Patch, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16877
Third Party Advisory vendor-advisory
https://usn.ubuntu.com/3952-1/
Mailing List, Third Party Advisory vendor-advisory
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00012.html
Mailing List, Third Party Advisory vendor-advisory
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00034.html
Third Party Advisory vendor-advisory
https://access.redhat.com/errata/RHSA-2019:1278
Third Party Advisory vendor-advisory
https://access.redhat.com/errata/RHSA-2019:1279
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2021/01/msg00007.html
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202309-09

Scores

CVSS v3 7.8
EPSS 0.0004
EPSS Percentile 12.1%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-287
Status published
Products (22)
canonical/ubuntu_linux 16.04
canonical/ubuntu_linux 18.04
canonical/ubuntu_linux 18.10
canonical/ubuntu_linux 19.04
clusterlabs/pacemaker < 2.0.0
debian/debian_linux 9.0
fedoraproject/fedora 28
fedoraproject/fedora 29
fedoraproject/fedora 30
opensuse/leap 15.0
... and 12 more
Published Apr 18, 2019
Tracked Since Feb 18, 2026