CVE-2022-1049

A flaw was found in the Pacemaker configuration tool (pcs). The pcs daemon was allowing expired accounts, and accounts with expired passwords to login when using PAM authentication. Therefore, unprivileged expired accounts that have been denied access could still login.

Published: Mar 25, 2022
Updated: Apr 14, 2023
CVE: CVE-2022-1049
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P

CWEs:

CWE-287

OWASP TOP 10:

A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
clusterlabs / pcs	-	0.11.2.x
debian / debian_linux	10.0	10.0.x
debian / debian_linux	11.0	11.0.x

https://huntr.dev/bounties/7aa921fc-a568-4fd8-96f4-7cd826246aa5
https://lists.debian.org/debian-lts-announce/2022/09/msg00017.html
https://www.debian.org/security/2022/dsa-5226

Vulnerability Database

289,697

CVE-2022-1049