CVE-2020-25654

HIGH

Pacemaker < 1.1.23 - ACL Bypass via IPC Communication

Title source: llm
STIX 2.1

Description

An ACL bypass flaw was found in pacemaker. An attacker having a local account on the cluster and in the haclient group could use IPC communication with various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went through the configuration.

References (5)

Core 5
Core References
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2021/01/msg00007.html
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202309-09
Issue Tracking, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1888191
Mailing List, Third Party Advisory
https://seclists.org/oss-sec/2020/q4/83

Scores

CVSS v3 7.2
EPSS 0.0200
EPSS Percentile 78.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-284
Status published
Products (3)
clusterlabs/pacemaker 2.0.5 rc1
clusterlabs/pacemaker < 1.1.23
debian/debian_linux 9.0
Published Nov 24, 2020
Tracked Since Feb 18, 2026