CVE-2020-25654
HIGHPacemaker < 1.1.23 - ACL Bypass via IPC Communication
Title source: llmDescription
An ACL bypass flaw was found in pacemaker. An attacker having a local account on the cluster and in the haclient group could use IPC communication with various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went through the configuration.
References (5)
Core 5
Core References
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2021/01/msg00007.html
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202309-09
Issue Tracking, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1888191
Mailing List, Vendor Advisory
https://lists.clusterlabs.org/pipermail/users/2020-October/027840.html
Mailing List, Third Party Advisory
https://seclists.org/oss-sec/2020/q4/83
Scores
CVSS v3
7.2
EPSS
0.0200
EPSS Percentile
78.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-284
Status
published
Products (3)
clusterlabs/pacemaker
2.0.5 rc1
clusterlabs/pacemaker
< 1.1.23
debian/debian_linux
9.0
Published
Nov 24, 2020
Tracked Since
Feb 18, 2026