CVE-2020-25654
pacemaker - security update
7.2
HIGH
CVSS 3.1
EPSS 0.09%
Description
An ACL bypass flaw was found in pacemaker. An attacker having a local account on the cluster and in the haclient group could use IPC communication with various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went through the configuration.
How to fix CVE-2020-25654
To remediate CVE-2020-25654, upgrade the affected package to a fixed version below.
- —upgrade to 2.0.5~rc2-1 or later
- —upgrade to 2.0.1-5+deb10u1 or later
Is CVE-2020-25654 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 2.0.5~rc2-1
- from 0, < 2.0.1-5+deb10u1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.2 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |