CVE Vulnerability

CVE-2022-2735

A vulnerability was found in the PCS project. This issue occurs due to incorrect permissions on a Unix socket used for internal communication between PCS daemons. A privilege escalation could happen by obtaining an authentication token for a hacluster user. With the "hacluster" token, this flaw allows an attacker to have complete control over the cluster managed by PCS.

7.8 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://www.openwall.com/lists/oss-security/2022/09/01/4 Mailing List Release Notes
https://bugzilla.redhat.com/show_bug.cgi?id=2116815 Issue Tracking Patch
https://access.redhat.com/security/cve/CVE-2022-2735 Third Party Advisory
https://www.debian.org/security/2022/dsa-5226 Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:clusterlabs:pcs:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
Information

Published : 2022-09-06 06:15

Updated : 2023-02-12 10:15

NVD link : CVE-2022-2735

Mitre link : CVE-2022-2735

Products Affected
No products.
CWE
CWE-276

Incorrect Default Permissions