CVE-2022-2735

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions corosync/pacemaker PCS (affected versions not specified)

Description The issue is related to insufficient authentication procedure in the corosync/pacemaker PCS utility, which can be exploited by a remote attacker to escalate privileges. This occurs due to incorrect permissions on a Unix socket used for internal communication between PCS daemons, allowing an attacker to obtain an authentication token for a hacluster user and gain complete control over the cluster managed by PCS.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Incorrect Default Permissions

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-276

Related Identifiers

ALSA-2022:6313

ALSA-2022:6314

ALT-PU-2022-3215

ALT-PU-2023-5630

ALT-PU-2024-7827

BDU:2022-05554

CESA-2022_6314

CVE-2022-2735

DSA-5226-1

OESA-2022-1961

RHSA-2022:6312

RHSA-2022:6313

RHSA-2022:6314

RHSA-2022:6341

RHSA-2022_6313

RHSA-2022_6314

RLSA-2022:6313

RLSA-2022:6314

ROSA-SA-2023-2240

USN-7614-1

Affected Products

Alt Linux

Almalinux

Centos

Linuxmint

Red Hat

Red Os

Rocky Linux

Ubuntu

Corosync/Pacemaker Pcs

CVE-2022-2735

Weakness Enumeration

Related Identifiers

Affected Products

References · 43