CVE-2018-16877
HIGH EPSS 32.2%
Published Apr 18, 20197y ago · Modified Jun 17, 20262w ago
7.8 CVSS 3.1
Published Apr 18, 2019 7y ago
Last Modified Jun 17, 2026 2w ago
Description
A flaw was found in the way pacemaker's client-server authentication was implemented in versions up to and including 2.0.0. A local attacker could use this flaw, and combine it with other IPC weaknesses, to achieve local privilege escalation.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High
Threat Intelligence
EPSS Exploit Probability
32.2% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-287 Improper Authentication Authentication
Affected Products 22
| Vendor | Product | Version | Range |
|---|---|---|---|
| clusterlabs | pacemaker | * | ≤2.0.0 |
| canonical | ubuntu_linux | 16.04 | any |
| canonical | ubuntu_linux | 18.04 | any |
| canonical | ubuntu_linux | 18.10 | any |
| canonical | ubuntu_linux | 19.04 | any |
| fedoraproject | fedora | 28 | any |
| fedoraproject | fedora | 29 | any |
| fedoraproject | fedora | 30 | any |
| debian | debian_linux | 9.0 | any |
| opensuse | leap | 15.0 | any |
| opensuse | leap | 42.3 | any |
| redhat | enterprise_linux | 8.0 | any |
| redhat | enterprise_linux_eus | 8.1 | any |
| redhat | enterprise_linux_eus | 8.2 | any |
| redhat | enterprise_linux_eus | 8.4 | any |
| redhat | enterprise_linux_eus | 8.6 | any |
| redhat | enterprise_linux_server_aus | 8.2 | any |
| redhat | enterprise_linux_server_aus | 8.4 | any |
| redhat | enterprise_linux_server_aus | 8.6 | any |
| redhat | enterprise_linux_server_tus | 8.2 | any |
| redhat | enterprise_linux_server_tus | 8.4 | any |
| redhat | enterprise_linux_server_tus | 8.6 | any |
References 13
- lists.opensuse.org http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00012.html
- lists.opensuse.org http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00034.html
- securityfocus.com http://www.securityfocus.com/bid/108042
- access.redhat.com https://access.redhat.com/errata/RHSA-2019:1278
- access.redhat.com https://access.redhat.com/errata/RHSA-2019:1279
- bugzilla.redhat.com https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16877
- github.com https://github.com/ClusterLabs/pacemaker/pull/1749
- lists.debian.org https://lists.debian.org/debian-lts-announce/2021/01/msg00007.html
- lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3GCWFO7GL6MBU6C4BGFO3P6L77DIBBF3/
- lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FY4M4RMIG2POKC6OOFQODGKPRYXHET2F/
- lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HR6QUYGML735EI3HEEHYRDW7EG73BUH2/
- security.gentoo.org https://security.gentoo.org/glsa/202309-09
- usn.ubuntu.com https://usn.ubuntu.com/3952-1/
Remediation
- bugzilla.redhat.com https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16877
- github.com https://github.com/ClusterLabs/pacemaker/pull/1749