VDB
CVE-2010-2496
CVE-2010-2496
REJECTED
stonith-ng in pacemaker and cluster-glue passed passwords as commandline parameters, making it possible for local attackers to gain access to passwords of the HA stack and potentially influence its operations. This is fixed in cluster-glue 1.0.6 and newer, and pacemaker 1.1.3 and newer.
EPSS 0.04% · 12.7th percentile
Risk Scores
EPSS Score
0.04%
12.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:18.04:LTS | cluster-glue | 0, 1.0.12-5ubuntu2, 1.0.12-7 |
| Ubuntu:18.04:LTS | pacemaker | 0, 1.1.16-1ubuntu1, 1.1.18~rc3-1ubuntu1 |
Exploit Intelligence
- CIRCL seen: CVE-2010-2496 (circl-sighting)
- https://bugzilla.suse.com/show_bug.cgi?id=CVE-2010-2496 (circl)
Timeline
- Oct 18, 2021 CVE Published
- Oct 18, 2021 PoC Published
- Feb 4, 2022 EPSS Score
- Mar 29, 2022 EPSS Score
- May 20, 2022 EPSS Score
- Jul 12, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
- Oct 26, 2022 EPSS Score
- Dec 18, 2022 EPSS Score
- Feb 9, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Apr 2, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2010-2496 third-party-advisory
- https://bugzilla.suse.com/show_bug.cgi?id=620781 third-party-advisory
- https://github.com/ClusterLabs/cluster-glue/commit/3d7b464439ee0271da76e0ee9480f3dc14005879 third-party-advisory
- https://github.com/ClusterLabs/pacemaker/commit/7901f43c5800374d41ae2287fe122692fe045664 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2010-2496 third-party-advisory