rhsa-2015_1700
Vulnerability from csaf_redhat
Published
2015-09-01 13:41
Modified
2024-11-22 09:27
Summary
Red Hat Security Advisory: pcs security update
Notes
Topic
Updated pcs packages that fix two security issues are now available for Red
Hat Enterprise Linux 6 and 7.
Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Details
The pcs packages provide a command-line configuration system for the
Pacemaker and Corosync utilities.
A command injection flaw was found in the pcsd web UI. An attacker able to
trick a victim that was logged in to the pcsd web UI into visiting a
specially crafted URL could use this flaw to execute arbitrary code with
root privileges on the server hosting the web UI. (CVE-2015-5190)
A race condition was found in the way the pcsd web UI backend performed
authorization of user requests. An attacker could use this flaw to send a
request that would be evaluated as originating from a different user,
potentially allowing the attacker to perform actions with permissions of a
more privileged user. (CVE-2015-5189)
These issues were discovered by Tomáš Jelínek of Red Hat.
All pcs users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated pcs packages that fix two security issues are now available for Red\nHat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Important security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The pcs packages provide a command-line configuration system for the\nPacemaker and Corosync utilities.\n\nA command injection flaw was found in the pcsd web UI. An attacker able to\ntrick a victim that was logged in to the pcsd web UI into visiting a\nspecially crafted URL could use this flaw to execute arbitrary code with\nroot privileges on the server hosting the web UI. (CVE-2015-5190)\n\nA race condition was found in the way the pcsd web UI backend performed\nauthorization of user requests. An attacker could use this flaw to send a\nrequest that would be evaluated as originating from a different user,\npotentially allowing the attacker to perform actions with permissions of a\nmore privileged user. (CVE-2015-5189)\n\nThese issues were discovered by Tom\u00e1\u0161 Jel\u00ednek of Red Hat.\n\nAll pcs users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2015:1700",
"url": "https://access.redhat.com/errata/RHSA-2015:1700"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1252805",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1252805"
},
{
"category": "external",
"summary": "1252813",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1252813"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_1700.json"
}
],
"title": "Red Hat Security Advisory: pcs security update",
"tracking": {
"current_release_date": "2024-11-22T09:27:21+00:00",
"generator": {
"date": "2024-11-22T09:27:21+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2015:1700",
"initial_release_date": "2015-09-01T13:41:46+00:00",
"revision_history": [
{
"date": "2015-09-01T13:41:46+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2015-09-01T13:41:46+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T09:27:21+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux High Availability (v. 6)",
"product": {
"name": "Red Hat Enterprise Linux High Availability (v. 6)",
"product_id": "6Server-HighAvailability-6.7.z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:6::server"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Resilient Storage (v. 6)",
"product": {
"name": "Red Hat Enterprise Linux Resilient Storage (v. 6)",
"product_id": "6Server-ResilientStorage-6.7.z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:6::server"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Server High Availability (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Server High Availability (v. 7)",
"product_id": "7Server-HighAvailability-7.1.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::server"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Server Resilient Storage (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Server Resilient Storage (v. 7)",
"product_id": "7Server-ResilientStorage-7.1.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::server"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "pcs-0:0.9.139-9.el6_7.1.x86_64",
"product": {
"name": "pcs-0:0.9.139-9.el6_7.1.x86_64",
"product_id": "pcs-0:0.9.139-9.el6_7.1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs@0.9.139-9.el6_7.1?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "pcs-debuginfo-0:0.9.139-9.el6_7.1.x86_64",
"product": {
"name": "pcs-debuginfo-0:0.9.139-9.el6_7.1.x86_64",
"product_id": "pcs-debuginfo-0:0.9.139-9.el6_7.1.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs-debuginfo@0.9.139-9.el6_7.1?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "pcs-debuginfo-0:0.9.137-13.el7_1.4.x86_64",
"product": {
"name": "pcs-debuginfo-0:0.9.137-13.el7_1.4.x86_64",
"product_id": "pcs-debuginfo-0:0.9.137-13.el7_1.4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs-debuginfo@0.9.137-13.el7_1.4?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "python-clufter-0:0.9.137-13.el7_1.4.x86_64",
"product": {
"name": "python-clufter-0:0.9.137-13.el7_1.4.x86_64",
"product_id": "python-clufter-0:0.9.137-13.el7_1.4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-clufter@0.9.137-13.el7_1.4?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "pcs-0:0.9.137-13.el7_1.4.x86_64",
"product": {
"name": "pcs-0:0.9.137-13.el7_1.4.x86_64",
"product_id": "pcs-0:0.9.137-13.el7_1.4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs@0.9.137-13.el7_1.4?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "pcs-0:0.9.139-9.el6_7.1.src",
"product": {
"name": "pcs-0:0.9.139-9.el6_7.1.src",
"product_id": "pcs-0:0.9.139-9.el6_7.1.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs@0.9.139-9.el6_7.1?arch=src"
}
}
},
{
"category": "product_version",
"name": "pcs-0:0.9.137-13.el7_1.4.src",
"product": {
"name": "pcs-0:0.9.137-13.el7_1.4.src",
"product_id": "pcs-0:0.9.137-13.el7_1.4.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs@0.9.137-13.el7_1.4?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "pcs-debuginfo-0:0.9.139-9.el6_7.1.i686",
"product": {
"name": "pcs-debuginfo-0:0.9.139-9.el6_7.1.i686",
"product_id": "pcs-debuginfo-0:0.9.139-9.el6_7.1.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs-debuginfo@0.9.139-9.el6_7.1?arch=i686"
}
}
},
{
"category": "product_version",
"name": "pcs-0:0.9.139-9.el6_7.1.i686",
"product": {
"name": "pcs-0:0.9.139-9.el6_7.1.i686",
"product_id": "pcs-0:0.9.139-9.el6_7.1.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/pcs@0.9.139-9.el6_7.1?arch=i686"
}
}
}
],
"category": "architecture",
"name": "i686"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.9.139-9.el6_7.1.i686 as a component of Red Hat Enterprise Linux High Availability (v. 6)",
"product_id": "6Server-HighAvailability-6.7.z:pcs-0:0.9.139-9.el6_7.1.i686"
},
"product_reference": "pcs-0:0.9.139-9.el6_7.1.i686",
"relates_to_product_reference": "6Server-HighAvailability-6.7.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.9.139-9.el6_7.1.src as a component of Red Hat Enterprise Linux High Availability (v. 6)",
"product_id": "6Server-HighAvailability-6.7.z:pcs-0:0.9.139-9.el6_7.1.src"
},
"product_reference": "pcs-0:0.9.139-9.el6_7.1.src",
"relates_to_product_reference": "6Server-HighAvailability-6.7.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.9.139-9.el6_7.1.x86_64 as a component of Red Hat Enterprise Linux High Availability (v. 6)",
"product_id": "6Server-HighAvailability-6.7.z:pcs-0:0.9.139-9.el6_7.1.x86_64"
},
"product_reference": "pcs-0:0.9.139-9.el6_7.1.x86_64",
"relates_to_product_reference": "6Server-HighAvailability-6.7.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-debuginfo-0:0.9.139-9.el6_7.1.i686 as a component of Red Hat Enterprise Linux High Availability (v. 6)",
"product_id": "6Server-HighAvailability-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.i686"
},
"product_reference": "pcs-debuginfo-0:0.9.139-9.el6_7.1.i686",
"relates_to_product_reference": "6Server-HighAvailability-6.7.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-debuginfo-0:0.9.139-9.el6_7.1.x86_64 as a component of Red Hat Enterprise Linux High Availability (v. 6)",
"product_id": "6Server-HighAvailability-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.x86_64"
},
"product_reference": "pcs-debuginfo-0:0.9.139-9.el6_7.1.x86_64",
"relates_to_product_reference": "6Server-HighAvailability-6.7.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.9.139-9.el6_7.1.i686 as a component of Red Hat Enterprise Linux Resilient Storage (v. 6)",
"product_id": "6Server-ResilientStorage-6.7.z:pcs-0:0.9.139-9.el6_7.1.i686"
},
"product_reference": "pcs-0:0.9.139-9.el6_7.1.i686",
"relates_to_product_reference": "6Server-ResilientStorage-6.7.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.9.139-9.el6_7.1.src as a component of Red Hat Enterprise Linux Resilient Storage (v. 6)",
"product_id": "6Server-ResilientStorage-6.7.z:pcs-0:0.9.139-9.el6_7.1.src"
},
"product_reference": "pcs-0:0.9.139-9.el6_7.1.src",
"relates_to_product_reference": "6Server-ResilientStorage-6.7.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.9.139-9.el6_7.1.x86_64 as a component of Red Hat Enterprise Linux Resilient Storage (v. 6)",
"product_id": "6Server-ResilientStorage-6.7.z:pcs-0:0.9.139-9.el6_7.1.x86_64"
},
"product_reference": "pcs-0:0.9.139-9.el6_7.1.x86_64",
"relates_to_product_reference": "6Server-ResilientStorage-6.7.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-debuginfo-0:0.9.139-9.el6_7.1.i686 as a component of Red Hat Enterprise Linux Resilient Storage (v. 6)",
"product_id": "6Server-ResilientStorage-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.i686"
},
"product_reference": "pcs-debuginfo-0:0.9.139-9.el6_7.1.i686",
"relates_to_product_reference": "6Server-ResilientStorage-6.7.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-debuginfo-0:0.9.139-9.el6_7.1.x86_64 as a component of Red Hat Enterprise Linux Resilient Storage (v. 6)",
"product_id": "6Server-ResilientStorage-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.x86_64"
},
"product_reference": "pcs-debuginfo-0:0.9.139-9.el6_7.1.x86_64",
"relates_to_product_reference": "6Server-ResilientStorage-6.7.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.9.137-13.el7_1.4.src as a component of Red Hat Enterprise Linux Server High Availability (v. 7)",
"product_id": "7Server-HighAvailability-7.1.Z:pcs-0:0.9.137-13.el7_1.4.src"
},
"product_reference": "pcs-0:0.9.137-13.el7_1.4.src",
"relates_to_product_reference": "7Server-HighAvailability-7.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.9.137-13.el7_1.4.x86_64 as a component of Red Hat Enterprise Linux Server High Availability (v. 7)",
"product_id": "7Server-HighAvailability-7.1.Z:pcs-0:0.9.137-13.el7_1.4.x86_64"
},
"product_reference": "pcs-0:0.9.137-13.el7_1.4.x86_64",
"relates_to_product_reference": "7Server-HighAvailability-7.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-debuginfo-0:0.9.137-13.el7_1.4.x86_64 as a component of Red Hat Enterprise Linux Server High Availability (v. 7)",
"product_id": "7Server-HighAvailability-7.1.Z:pcs-debuginfo-0:0.9.137-13.el7_1.4.x86_64"
},
"product_reference": "pcs-debuginfo-0:0.9.137-13.el7_1.4.x86_64",
"relates_to_product_reference": "7Server-HighAvailability-7.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-clufter-0:0.9.137-13.el7_1.4.x86_64 as a component of Red Hat Enterprise Linux Server High Availability (v. 7)",
"product_id": "7Server-HighAvailability-7.1.Z:python-clufter-0:0.9.137-13.el7_1.4.x86_64"
},
"product_reference": "python-clufter-0:0.9.137-13.el7_1.4.x86_64",
"relates_to_product_reference": "7Server-HighAvailability-7.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.9.137-13.el7_1.4.src as a component of Red Hat Enterprise Linux Server Resilient Storage (v. 7)",
"product_id": "7Server-ResilientStorage-7.1.Z:pcs-0:0.9.137-13.el7_1.4.src"
},
"product_reference": "pcs-0:0.9.137-13.el7_1.4.src",
"relates_to_product_reference": "7Server-ResilientStorage-7.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-0:0.9.137-13.el7_1.4.x86_64 as a component of Red Hat Enterprise Linux Server Resilient Storage (v. 7)",
"product_id": "7Server-ResilientStorage-7.1.Z:pcs-0:0.9.137-13.el7_1.4.x86_64"
},
"product_reference": "pcs-0:0.9.137-13.el7_1.4.x86_64",
"relates_to_product_reference": "7Server-ResilientStorage-7.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "pcs-debuginfo-0:0.9.137-13.el7_1.4.x86_64 as a component of Red Hat Enterprise Linux Server Resilient Storage (v. 7)",
"product_id": "7Server-ResilientStorage-7.1.Z:pcs-debuginfo-0:0.9.137-13.el7_1.4.x86_64"
},
"product_reference": "pcs-debuginfo-0:0.9.137-13.el7_1.4.x86_64",
"relates_to_product_reference": "7Server-ResilientStorage-7.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-clufter-0:0.9.137-13.el7_1.4.x86_64 as a component of Red Hat Enterprise Linux Server Resilient Storage (v. 7)",
"product_id": "7Server-ResilientStorage-7.1.Z:python-clufter-0:0.9.137-13.el7_1.4.x86_64"
},
"product_reference": "python-clufter-0:0.9.137-13.el7_1.4.x86_64",
"relates_to_product_reference": "7Server-ResilientStorage-7.1.Z"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Tom\u00e1\u0161 Jel\u00ednek"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2015-5189",
"cwe": {
"id": "CWE-863",
"name": "Incorrect Authorization"
},
"discovery_date": "2015-08-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1252805"
}
],
"notes": [
{
"category": "description",
"text": "A race condition was found in the way the pcsd web UI backend performed authorization of user requests. An attacker could use this flaw to send a request that would be evaluated as originating from a different user, potentially allowing the attacker to perform actions with permissions of a more privileged user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "pcs: Incorrect authorization when using pcs web UI",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-HighAvailability-6.7.z:pcs-0:0.9.139-9.el6_7.1.i686",
"6Server-HighAvailability-6.7.z:pcs-0:0.9.139-9.el6_7.1.src",
"6Server-HighAvailability-6.7.z:pcs-0:0.9.139-9.el6_7.1.x86_64",
"6Server-HighAvailability-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.i686",
"6Server-HighAvailability-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.x86_64",
"6Server-ResilientStorage-6.7.z:pcs-0:0.9.139-9.el6_7.1.i686",
"6Server-ResilientStorage-6.7.z:pcs-0:0.9.139-9.el6_7.1.src",
"6Server-ResilientStorage-6.7.z:pcs-0:0.9.139-9.el6_7.1.x86_64",
"6Server-ResilientStorage-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.i686",
"6Server-ResilientStorage-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.x86_64",
"7Server-HighAvailability-7.1.Z:pcs-0:0.9.137-13.el7_1.4.src",
"7Server-HighAvailability-7.1.Z:pcs-0:0.9.137-13.el7_1.4.x86_64",
"7Server-HighAvailability-7.1.Z:pcs-debuginfo-0:0.9.137-13.el7_1.4.x86_64",
"7Server-HighAvailability-7.1.Z:python-clufter-0:0.9.137-13.el7_1.4.x86_64",
"7Server-ResilientStorage-7.1.Z:pcs-0:0.9.137-13.el7_1.4.src",
"7Server-ResilientStorage-7.1.Z:pcs-0:0.9.137-13.el7_1.4.x86_64",
"7Server-ResilientStorage-7.1.Z:pcs-debuginfo-0:0.9.137-13.el7_1.4.x86_64",
"7Server-ResilientStorage-7.1.Z:python-clufter-0:0.9.137-13.el7_1.4.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-5189"
},
{
"category": "external",
"summary": "RHBZ#1252805",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1252805"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-5189",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-5189"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-5189",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5189"
}
],
"release_date": "2015-09-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-09-01T13:41:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-HighAvailability-6.7.z:pcs-0:0.9.139-9.el6_7.1.i686",
"6Server-HighAvailability-6.7.z:pcs-0:0.9.139-9.el6_7.1.src",
"6Server-HighAvailability-6.7.z:pcs-0:0.9.139-9.el6_7.1.x86_64",
"6Server-HighAvailability-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.i686",
"6Server-HighAvailability-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.x86_64",
"6Server-ResilientStorage-6.7.z:pcs-0:0.9.139-9.el6_7.1.i686",
"6Server-ResilientStorage-6.7.z:pcs-0:0.9.139-9.el6_7.1.src",
"6Server-ResilientStorage-6.7.z:pcs-0:0.9.139-9.el6_7.1.x86_64",
"6Server-ResilientStorage-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.i686",
"6Server-ResilientStorage-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.x86_64",
"7Server-HighAvailability-7.1.Z:pcs-0:0.9.137-13.el7_1.4.src",
"7Server-HighAvailability-7.1.Z:pcs-0:0.9.137-13.el7_1.4.x86_64",
"7Server-HighAvailability-7.1.Z:pcs-debuginfo-0:0.9.137-13.el7_1.4.x86_64",
"7Server-HighAvailability-7.1.Z:python-clufter-0:0.9.137-13.el7_1.4.x86_64",
"7Server-ResilientStorage-7.1.Z:pcs-0:0.9.137-13.el7_1.4.src",
"7Server-ResilientStorage-7.1.Z:pcs-0:0.9.137-13.el7_1.4.x86_64",
"7Server-ResilientStorage-7.1.Z:pcs-debuginfo-0:0.9.137-13.el7_1.4.x86_64",
"7Server-ResilientStorage-7.1.Z:python-clufter-0:0.9.137-13.el7_1.4.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:1700"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:N",
"version": "2.0"
},
"products": [
"6Server-HighAvailability-6.7.z:pcs-0:0.9.139-9.el6_7.1.i686",
"6Server-HighAvailability-6.7.z:pcs-0:0.9.139-9.el6_7.1.src",
"6Server-HighAvailability-6.7.z:pcs-0:0.9.139-9.el6_7.1.x86_64",
"6Server-HighAvailability-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.i686",
"6Server-HighAvailability-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.x86_64",
"6Server-ResilientStorage-6.7.z:pcs-0:0.9.139-9.el6_7.1.i686",
"6Server-ResilientStorage-6.7.z:pcs-0:0.9.139-9.el6_7.1.src",
"6Server-ResilientStorage-6.7.z:pcs-0:0.9.139-9.el6_7.1.x86_64",
"6Server-ResilientStorage-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.i686",
"6Server-ResilientStorage-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.x86_64",
"7Server-HighAvailability-7.1.Z:pcs-0:0.9.137-13.el7_1.4.src",
"7Server-HighAvailability-7.1.Z:pcs-0:0.9.137-13.el7_1.4.x86_64",
"7Server-HighAvailability-7.1.Z:pcs-debuginfo-0:0.9.137-13.el7_1.4.x86_64",
"7Server-HighAvailability-7.1.Z:python-clufter-0:0.9.137-13.el7_1.4.x86_64",
"7Server-ResilientStorage-7.1.Z:pcs-0:0.9.137-13.el7_1.4.src",
"7Server-ResilientStorage-7.1.Z:pcs-0:0.9.137-13.el7_1.4.x86_64",
"7Server-ResilientStorage-7.1.Z:pcs-debuginfo-0:0.9.137-13.el7_1.4.x86_64",
"7Server-ResilientStorage-7.1.Z:python-clufter-0:0.9.137-13.el7_1.4.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "pcs: Incorrect authorization when using pcs web UI"
},
{
"acknowledgments": [
{
"names": [
"Tom\u00e1\u0161 Jel\u00ednek"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2015-5190",
"cwe": {
"id": "CWE-77",
"name": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
},
"discovery_date": "2015-08-11T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1252813"
}
],
"notes": [
{
"category": "description",
"text": "A command injection flaw was found in the pcsd web UI. An attacker able to trick a victim that was logged in to the pcsd web UI into visiting a specially crafted URL could use this flaw to execute arbitrary code with root privileges on the server hosting the web UI.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "pcs: Command injection with root privileges.",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-HighAvailability-6.7.z:pcs-0:0.9.139-9.el6_7.1.i686",
"6Server-HighAvailability-6.7.z:pcs-0:0.9.139-9.el6_7.1.src",
"6Server-HighAvailability-6.7.z:pcs-0:0.9.139-9.el6_7.1.x86_64",
"6Server-HighAvailability-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.i686",
"6Server-HighAvailability-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.x86_64",
"6Server-ResilientStorage-6.7.z:pcs-0:0.9.139-9.el6_7.1.i686",
"6Server-ResilientStorage-6.7.z:pcs-0:0.9.139-9.el6_7.1.src",
"6Server-ResilientStorage-6.7.z:pcs-0:0.9.139-9.el6_7.1.x86_64",
"6Server-ResilientStorage-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.i686",
"6Server-ResilientStorage-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.x86_64",
"7Server-HighAvailability-7.1.Z:pcs-0:0.9.137-13.el7_1.4.src",
"7Server-HighAvailability-7.1.Z:pcs-0:0.9.137-13.el7_1.4.x86_64",
"7Server-HighAvailability-7.1.Z:pcs-debuginfo-0:0.9.137-13.el7_1.4.x86_64",
"7Server-HighAvailability-7.1.Z:python-clufter-0:0.9.137-13.el7_1.4.x86_64",
"7Server-ResilientStorage-7.1.Z:pcs-0:0.9.137-13.el7_1.4.src",
"7Server-ResilientStorage-7.1.Z:pcs-0:0.9.137-13.el7_1.4.x86_64",
"7Server-ResilientStorage-7.1.Z:pcs-debuginfo-0:0.9.137-13.el7_1.4.x86_64",
"7Server-ResilientStorage-7.1.Z:python-clufter-0:0.9.137-13.el7_1.4.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-5190"
},
{
"category": "external",
"summary": "RHBZ#1252813",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1252813"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-5190",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-5190"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-5190",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5190"
}
],
"release_date": "2015-09-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-09-01T13:41:46+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-HighAvailability-6.7.z:pcs-0:0.9.139-9.el6_7.1.i686",
"6Server-HighAvailability-6.7.z:pcs-0:0.9.139-9.el6_7.1.src",
"6Server-HighAvailability-6.7.z:pcs-0:0.9.139-9.el6_7.1.x86_64",
"6Server-HighAvailability-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.i686",
"6Server-HighAvailability-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.x86_64",
"6Server-ResilientStorage-6.7.z:pcs-0:0.9.139-9.el6_7.1.i686",
"6Server-ResilientStorage-6.7.z:pcs-0:0.9.139-9.el6_7.1.src",
"6Server-ResilientStorage-6.7.z:pcs-0:0.9.139-9.el6_7.1.x86_64",
"6Server-ResilientStorage-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.i686",
"6Server-ResilientStorage-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.x86_64",
"7Server-HighAvailability-7.1.Z:pcs-0:0.9.137-13.el7_1.4.src",
"7Server-HighAvailability-7.1.Z:pcs-0:0.9.137-13.el7_1.4.x86_64",
"7Server-HighAvailability-7.1.Z:pcs-debuginfo-0:0.9.137-13.el7_1.4.x86_64",
"7Server-HighAvailability-7.1.Z:python-clufter-0:0.9.137-13.el7_1.4.x86_64",
"7Server-ResilientStorage-7.1.Z:pcs-0:0.9.137-13.el7_1.4.src",
"7Server-ResilientStorage-7.1.Z:pcs-0:0.9.137-13.el7_1.4.x86_64",
"7Server-ResilientStorage-7.1.Z:pcs-debuginfo-0:0.9.137-13.el7_1.4.x86_64",
"7Server-ResilientStorage-7.1.Z:python-clufter-0:0.9.137-13.el7_1.4.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:1700"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"products": [
"6Server-HighAvailability-6.7.z:pcs-0:0.9.139-9.el6_7.1.i686",
"6Server-HighAvailability-6.7.z:pcs-0:0.9.139-9.el6_7.1.src",
"6Server-HighAvailability-6.7.z:pcs-0:0.9.139-9.el6_7.1.x86_64",
"6Server-HighAvailability-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.i686",
"6Server-HighAvailability-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.x86_64",
"6Server-ResilientStorage-6.7.z:pcs-0:0.9.139-9.el6_7.1.i686",
"6Server-ResilientStorage-6.7.z:pcs-0:0.9.139-9.el6_7.1.src",
"6Server-ResilientStorage-6.7.z:pcs-0:0.9.139-9.el6_7.1.x86_64",
"6Server-ResilientStorage-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.i686",
"6Server-ResilientStorage-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.x86_64",
"7Server-HighAvailability-7.1.Z:pcs-0:0.9.137-13.el7_1.4.src",
"7Server-HighAvailability-7.1.Z:pcs-0:0.9.137-13.el7_1.4.x86_64",
"7Server-HighAvailability-7.1.Z:pcs-debuginfo-0:0.9.137-13.el7_1.4.x86_64",
"7Server-HighAvailability-7.1.Z:python-clufter-0:0.9.137-13.el7_1.4.x86_64",
"7Server-ResilientStorage-7.1.Z:pcs-0:0.9.137-13.el7_1.4.src",
"7Server-ResilientStorage-7.1.Z:pcs-0:0.9.137-13.el7_1.4.x86_64",
"7Server-ResilientStorage-7.1.Z:pcs-debuginfo-0:0.9.137-13.el7_1.4.x86_64",
"7Server-ResilientStorage-7.1.Z:python-clufter-0:0.9.137-13.el7_1.4.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "pcs: Command injection with root privileges."
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.