{ "threat_severity" : "Moderate", "public_date" : "2018-04-09T00:00:00Z", "bugzilla" : { "description" : "pcs: Debug parameter removal bypass, allowing information disclosure", "id" : "1557366", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1557366" }, "cvss3" : { "cvss3_base_score" : "4.3", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-20", "details" : [ "pcs before versions 0.9.164 and 0.10 is vulnerable to a debug parameter removal bypass. REST interface of the pcsd service did not properly remove the pcs debug argument from the /run_pcs query, possibly disclosing sensitive information. A remote attacker with a valid token could use this flaw to elevate their privilege.", "It was found that the REST interface of the pcsd service did not properly remove the pcs debug argument from the /run_pcs query, possibly disclosing sensitive information. A remote attacker with a valid token could use this flaw to elevate their privilege." ], "acknowledgement" : "This issue was discovered by Cedric Buissart (Red Hat).", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 6", "release_date" : "2018-06-19T00:00:00Z", "advisory" : "RHSA-2018:1927", "cpe" : "cpe:/o:redhat:enterprise_linux:6", "package" : "pcs-0:0.9.155-3.el6" }, { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2018-04-10T00:00:00Z", "advisory" : "RHSA-2018:1060", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "pcs-0:0.9.162-5.el7_5.1" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "pcs", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Storage 3", "fix_state" : "Not affected", "package_name" : "pcs", "cpe" : "cpe:/a:redhat:storage:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2018-1086\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-1086" ], "name" : "CVE-2018-1086", "csaw" : false }