CVE-2010-2496
5.5
MEDIUM
CVSS 3.1
EPSS 0.04%
Description
stonith-ng in pacemaker and cluster-glue passed passwords as commandline parameters, making it possible for local attackers to gain access to passwords of the HA stack and potentially influence its operations. This is fixed in cluster-glue 1.0.6 and newer, and pacemaker 1.1.3 and newer.
How to fix CVE-2010-2496
To remediate CVE-2010-2496, upgrade the affected package to a fixed version below.
- Debian/cluster-glue—upgrade to 1.0.6-1 or later
- —upgrade to 1.1.13-1 or later
Is CVE-2010-2496 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 1.0.6-1
- from 0, < 1.1.13-1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.5 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |