1557366 – (CVE-2018-1086) CVE-2018-1086 pcs: Debug parameter removal bypass, allowing information disclosure

Bug 1557366 (CVE-2018-1086) - CVE-2018-1086 pcs: Debug parameter removal bypass, allowing information disclosure

Summary: CVE-2018-1086 pcs: Debug parameter removal bypass, allowing information discl...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2018-1086
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1557252 1557253 1557962 1565090 1565091
Blocks:	1550244
TreeView+	depends on / blocked

Reported:	2018-03-16 13:41 UTC by Cedric Buissart
Modified:	2021-02-17 00:38 UTC (History)
CC List:	25 users (show)
Fixed In Version:	pcs 0.9.164, pcs 0.10
Clone Of:
Environment:
Last Closed:	2019-06-10 10:17:54 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2018:1060	0	None	None	None	2018-04-10 09:12:05 UTC
Red Hat Product Errata	RHSA-2018:1927	0	None	None	None	2018-06-19 04:55:35 UTC

Description Cedric Buissart 2018-03-16 13:41:36 UTC

To prevent some information disclosure, pcsd actively removes '--debug' from command requested over the REST interface, but this can be bypassed:
----8<---
 235   # do not reveal potentialy sensitive information
 236   command_decoded.delete('--debug')
---->8----

The information gained could then be used to gain higher privileges.

Comment 8 Cedric Buissart 2018-03-22 10:54:12 UTC

Acknowledgments:

Name: Cedric Buissart (Red Hat)

Comment 9 Cedric Buissart 2018-04-09 11:19:18 UTC

Created pcs tracking bugs for this issue:

Affects: fedora-all [bug 1565090]

Comment 11 errata-xmlrpc 2018-04-10 09:11:52 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:1060 https://access.redhat.com/errata/RHSA-2018:1060

Comment 12 errata-xmlrpc 2018-06-19 04:55:22 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:1927 https://access.redhat.com/errata/RHSA-2018:1927

Note You need to log in before you can comment on or make changes to this bug.

anprice
apevec
cfeist
chrisw
cluster-maint
idevat
jaruga
jjoyce
jpokorny
jschluet
kbasil
lhh
lpeer
markmc
mburns
omular
rbryant
sclewis
security-response-team
sisharma
slinaber
ssaha
tdecacqu
tojeline
vbellur