Vulnerabilities > Clusterlabs > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-06-06 | CVE-2024-3049 | Insufficient Verification of Data Authenticity vulnerability in multiple products A flaw was found in Booth, a cluster ticket manager. | 5.9 |
| 2022-07-28 | CVE-2022-2553 | Improper Authentication vulnerability in multiple products The authfile directive in the booth config file is ignored, preventing use of authentication in communications from node to node. | 6.5 |
| 2020-01-02 | CVE-2014-0104 | Improper Certificate Validation vulnerability in Clusterlabs Fence-Agents In fence-agents before 4.0.17 does not verify remote SSL certificates in the fence_cisco_ucs.py script which can potentially allow for man-in-the-middle attackers to spoof SSL servers via arbitrary SSL certificates. | 4.3 |
| 2019-07-30 | CVE-2019-10153 | A flaw was discovered in fence-agents, prior to version 4.3.4, where using non-ASCII characters in a guest VM's comment or other fields would cause fence_rhevm to exit with an exception. | 5.0 |
| 2019-06-07 | CVE-2019-12779 | Link Following vulnerability in Clusterlabs Libqb libqb before 1.0.5 allows local users to overwrite arbitrary files via a symlink attack, because it uses predictable filenames (under /dev/shm and /tmp) without O_EXCL. | 6.6 |
| 2019-04-18 | CVE-2018-16878 | Resource Exhaustion vulnerability in multiple products A flaw was found in pacemaker up to and including version 2.0.1. | 5.5 |
| 2018-04-12 | CVE-2018-1079 | Path Traversal vulnerability in multiple products pcs before version 0.9.164 and 0.10 is vulnerable to a privilege escalation via authorized user malicious REST call. | 4.0 |
| 2018-04-12 | CVE-2018-1086 | Information Exposure vulnerability in multiple products pcs before versions 0.9.164 and 0.10 is vulnerable to a debug parameter removal bypass. | 5.0 |
| 2018-03-12 | CVE-2017-2661 | Cross-site Scripting vulnerability in Clusterlabs PCS ClusterLabs pcs before version 0.9.157 is vulnerable to a cross-site scripting vulnerability due to improper validation of Node name field when creating new cluster or adding existing cluster. | 4.3 |
| 2017-03-24 | CVE-2016-7797 | 7PK - Security Features vulnerability in multiple products Pacemaker before 1.1.15, when using pacemaker remote, might allow remote attackers to cause a denial of service (node disconnection) via an unauthenticated connection. | 5.0 |