Description
A flaw was found in the Pacemaker configuration tool (pcs). The pcs daemon was allowing expired accounts, and accounts with expired passwords to login when using PAM authentication. Therefore, unprivileged expired accounts that have been denied access could still login.
References (3)
Core 3
Core References
Exploit, Third Party Advisory x_refsource_misc
https://huntr.dev/bounties/7aa921fc-a568-4fd8-96f4-7cd826246aa5
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2022/dsa-5226
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2022/09/msg00017.html
Scores
CVSS v3
8.8
EPSS
0.0027
EPSS Percentile
51.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-287
Status
published
Products (3)
clusterlabs/pcs
< 0.11.2
debian/debian_linux
10.0
debian/debian_linux
11.0
Published
Mar 25, 2022
Tracked Since
Feb 18, 2026