Poki

**Name of the Vulnerable Software and Affected Versions** Pacemaker versions prior to 1.1.16 **Description** An authorization flaw was found where Pacemaker did not properly guard its IPC interface. An attacker with an unprivileged account on a Pacemaker node could use this flaw to gain root access on the machine, for example, by forcing the Local Resource Manager daemon to execute a script as root. **Recommendations** For versions prior to 1.1.16, update to version 1.1.16 or later to resolve the issue. As a temporary workaround, consider restricting access to the IPC interface to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Luci version 0.26.0 **Description** A race condition exists that creates the /var/lib/luci/etc/luci.ini file with world-readable permissions before the permissions are restricted. This allows local users to read the file and obtain sensitive information, including authentication secrets. **Recommendations** For Luci version 0.26.0, consider restricting access to the /var/lib/luci/etc/luci.ini file until a patch is available. As a temporary workaround, manually change the permissions of the luci.ini file to prevent unauthorized access.

**Name of the Vulnerable Software and Affected Versions** Luci version 0.26.0 **Description** The issue allows local users to gain privileges via a Trojan horse .egg-info file in the current working directory or its parent directories, due to an untrusted search path vulnerability in python-paste-script (aka paster) when started using the initscript. **Recommendations** For Luci version 0.26.0, consider restricting access to the `python-paste-script` module until a patch is available, and avoid using the initscript to start Luci to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.