{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "stonith-ng in pacemaker and cluster-glue passed passwords as commandline parameters, making it possible for local attackers to gain access to passwords of the HA stack and potentially influence its operations. This is fixed in cluster-glue 1.0.6 and newer, and pacemaker 1.1.3 and newer."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-10-18T12:12:42", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2010-2496"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2010-2496", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "stonith-ng in pacemaker and cluster-glue passed passwords as commandline parameters, making it possible for local attackers to gain access to passwords of the HA stack and potentially influence its operations. This is fixed in cluster-glue 1.0.6 and newer, and pacemaker 1.1.3 and newer."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2010-2496", "refsource": "MISC", "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2010-2496"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T02:32:16.898Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2010-2496"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2010-2496", "datePublished": "2021-10-18T12:12:42", "dateReserved": "2010-06-28T00:00:00", "dateUpdated": "2024-08-07T02:32:16.898Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:clusterlabs:cluster_glue:*:*:*:*:*:*:*:*", "matchCriteriaId": "BF76BDD3-89ED-48EB-ABD3-01B176FC8FCD", "versionEndExcluding": "1.0.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:clusterlabs:pacemaker:*:*:*:*:*:*:*:*", "matchCriteriaId": "B0202E83-F41F-446A-9EFC-CA82A6F32022", "versionEndExcluding": "1.1.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "stonith-ng in pacemaker and cluster-glue passed passwords as commandline parameters, making it possible for local attackers to gain access to passwords of the HA stack and potentially influence its operations. This is fixed in cluster-glue 1.0.6 and newer, and pacemaker 1.1.3 and newer."}, {"lang": "es", "value": "stonith-ng en pacemaker y cluster-glue pasaba contrase\u00f1as como par\u00e1metros de l\u00ednea de comandos, que hac\u00eda posible que los atacantes locales obtuvieran acceso a las contrase\u00f1as de la pila de HA e influyeran potencialmente en sus operaciones. Esto se ha corregido en cluster-glue versiones 1.0.6 y posteriores, y en pacemaker versiones 1.1.3 y posteriores"}], "id": "CVE-2010-2496", "lastModified": "2021-10-21T22:49:14.483", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-10-18T13:15:08.927", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Mailing List", "Patch", "Third Party Advisory"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=CVE-2010-2496"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "cluster-glue: passes the stonith parameters via the commandline which could result in password leaks", "id": "1974363", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1974363"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-522", "details": ["stonith-ng in pacemaker and cluster-glue passed passwords as commandline parameters, making it possible for local attackers to gain access to passwords of the HA stack and potentially influence its operations. This is fixed in cluster-glue 1.0.6 and newer, and pacemaker 1.1.3 and newer.", "A flaw was found in cluster-glue, where the stonith-ng function in cluster-glue passed passwords as command line parameters. This flaw allows local attackers to gain access to passwords of the HA stack and potentially influence its operations. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability."], "name": "CVE-2010-2496", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "cluster-glue", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2010-07-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2010-2496\nhttps://nvd.nist.gov/vuln/detail/CVE-2010-2496\nhttps://github.com/ClusterLabs/cluster-glue/commit/3d7b464439ee0271da76e0ee9480f3dc14005879\nhttps://github.com/ClusterLabs/pacemaker/commit/7901f43c5800374d41ae2287fe122692fe045664"], "threat_severity": "Moderate", "upstream_fix": "cluster-glue 1.0.6"}