Vulnerabilities > Clusterlabs

DATE CVE VULNERABILITY TITLE RISK
2021-10-18 CVE-2010-2496 Improper Authentication vulnerability in Clusterlabs Cluster Glue and Pacemaker
stonith-ng in pacemaker and cluster-glue passed passwords as commandline parameters, making it possible for local attackers to gain access to passwords of the HA stack and potentially influence its operations.
local
low complexity
clusterlabs CWE-287
2.1
2021-01-12 CVE-2020-35458 Code Injection vulnerability in Clusterlabs Hawk 2.2.012/2.3.012
An issue was discovered in ClusterLabs Hawk 2.x through 2.3.0-x.
network
low complexity
clusterlabs CWE-94
critical
10.0
2021-01-12 CVE-2020-35459 Improper Privilege Management vulnerability in multiple products
An issue was discovered in ClusterLabs crmsh through 4.2.1.
local
low complexity
clusterlabs debian CWE-269
7.2
2020-11-24 CVE-2020-25654 Improper Access Control vulnerability in multiple products
An ACL bypass flaw was found in pacemaker.
network
low complexity
clusterlabs debian CWE-284
critical
9.0
2020-01-02 CVE-2014-0104 Improper Certificate Validation vulnerability in Clusterlabs Fence-Agents
In fence-agents before 4.0.17 does not verify remote SSL certificates in the fence_cisco_ucs.py script which can potentially allow for man-in-the-middle attackers to spoof SSL servers via arbitrary SSL certificates.
4.3
2019-11-12 CVE-2011-5271 Link Following vulnerability in Clusterlabs Pacemaker
Pacemaker before 1.1.6 configure script creates temporary files insecurely
3.3
2019-07-30 CVE-2019-10153 Encoding Error vulnerability in multiple products
A flaw was discovered in fence-agents, prior to version 4.3.4, where using non-ASCII characters in a guest VM's comment or other fields would cause fence_rhevm to exit with an exception.
network
low complexity
clusterlabs redhat CWE-172
4.0
2019-06-07 CVE-2019-12779 Link Following vulnerability in Clusterlabs Libqb
libqb before 1.0.5 allows local users to overwrite arbitrary files via a symlink attack, because it uses predictable filenames (under /dev/shm and /tmp) without O_EXCL.
local
low complexity
clusterlabs CWE-59
6.6
2019-04-18 CVE-2018-16877 Improper Authentication vulnerability in multiple products
A flaw was found in the way pacemaker's client-server authentication was implemented in versions up to and including 2.0.0.
4.6
2019-04-18 CVE-2018-16878 Resource Exhaustion vulnerability in multiple products
A flaw was found in pacemaker up to and including version 2.0.1.
2.1