Vulnerability-Lookup

CVE-2015-5190 (GCVE-0-2015-5190)

Vulnerability from cvelistv5 – Published: 2015-09-03 14:00 – Updated: 2024-08-06 06:41

Summary

The pcsd web UI in PCS 0.9.139 and earlier allows remote authenticated users to execute arbitrary commands via "escape characters" in a URL.

Severity ?

No CVSS data available.

CWE

Assigner

redhat

References

URL

CNVD-2015-05862

Vulnerability from cnvd - Published: 2015-09-09

Title

PCS pcsd web UI操作系统命令注入漏洞

Description

PCS是一套利用命令行和Web UI来配置和管理Pacemaker和Corosync（集群软件）的工具。 PCS 0.9.139及之前版本的pcsd web UI中存在安全漏洞。远程攻击者可借助URL中的‘escape characters’利用该漏洞执行任意命令。

Severity

高

Patch Name

PCS pcsd web UI操作系统命令注入漏洞的补丁

Patch Description

PCS是一套利用命令行和Web UI来配置和管理Pacemaker和Corosync（集群软件）的工具。PCS 0.9.139及之前版本的pcsd web UI中存在安全漏洞。远程攻击者可借助URL中的‘escape characters’利用该漏洞执行任意命令。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

用户可参考如下厂商提供的安全公告获取补丁以修复该漏洞： http://rhn.redhat.com/errata/RHSA-2015-1700.html

Reference

http://rhn.redhat.com/errata/RHSA-2015-1700.html

Impacted products

Name
PCS PCS <=0.9.139

Show details on source website

JSON

To clipboard Create KEV Entry

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2015-5190"
    }
  },
  "description": "PCS\u662f\u4e00\u5957\u5229\u7528\u547d\u4ee4\u884c\u548cWeb UI\u6765\u914d\u7f6e\u548c\u7ba1\u7406Pacemaker\u548cCorosync\uff08\u96c6\u7fa4\u8f6f\u4ef6\uff09\u7684\u5de5\u5177\u3002\r\n\r\nPCS 0.9.139\u53ca\u4e4b\u524d\u7248\u672c\u7684pcsd web UI\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u501f\u52a9URL\u4e2d\u7684\u2018escape characters\u2019\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u4efb\u610f\u547d\u4ee4\u3002",
  "discovererName": "Adam Mari\u0161",
  "formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u5382\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u53d6\u8865\u4e01\u4ee5\u4fee\u590d\u8be5\u6f0f\u6d1e\uff1a\r\nhttp://rhn.redhat.com/errata/RHSA-2015-1700.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2015-05862",
  "openTime": "2015-09-09",
  "patchDescription": "PCS\u662f\u4e00\u5957\u5229\u7528\u547d\u4ee4\u884c\u548cWeb UI\u6765\u914d\u7f6e\u548c\u7ba1\u7406Pacemaker\u548cCorosync\uff08\u96c6\u7fa4\u8f6f\u4ef6\uff09\u7684\u5de5\u5177\u3002PCS 0.9.139\u53ca\u4e4b\u524d\u7248\u672c\u7684pcsd web UI\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u501f\u52a9URL\u4e2d\u7684\u2018escape characters\u2019\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u4efb\u610f\u547d\u4ee4\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "PCS pcsd web UI\u64cd\u4f5c\u7cfb\u7edf\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "PCS PCS \u003c=0.9.139"
  },
  "referenceLink": "http://rhn.redhat.com/errata/RHSA-2015-1700.html",
  "serverity": "\u9ad8",
  "submitTime": "2015-09-06",
  "title": "PCS pcsd web UI\u64cd\u4f5c\u7cfb\u7edf\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e"
}

GSD-2015-5190

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

The pcsd web UI in PCS 0.9.139 and earlier allows remote authenticated users to execute arbitrary commands via "escape characters" in a URL.

Aliases

CVE-2015-5190

Aliases

CVE-2015-5190

JSON

To clipboard Create KEV Entry

{
  "GSD": {
    "alias": "CVE-2015-5190",
    "description": "The pcsd web UI in PCS 0.9.139 and earlier allows remote authenticated users to execute arbitrary commands via \"escape characters\" in a URL.",
    "id": "GSD-2015-5190",
    "references": [
      "https://access.redhat.com/errata/RHSA-2015:1700"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2015-5190"
      ],
      "details": "The pcsd web UI in PCS 0.9.139 and earlier allows remote authenticated users to execute arbitrary commands via \"escape characters\" in a URL.",
      "id": "GSD-2015-5190",
      "modified": "2023-12-13T01:20:06.016256Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert@redhat.com",
        "ID": "CVE-2015-5190",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The pcsd web UI in PCS 0.9.139 and earlier allows remote authenticated users to execute arbitrary commands via \"escape characters\" in a URL."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://rhn.redhat.com/errata/RHSA-2015-1700.html",
            "refsource": "MISC",
            "url": "http://rhn.redhat.com/errata/RHSA-2015-1700.html"
          },
          {
            "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1252813",
            "refsource": "MISC",
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1252813"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:pacemaker\\/corosync_configuration_system_project:pacemaker\\/corosync_configuration_system:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "0.9.139",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2015-5190"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The pcsd web UI in PCS 0.9.139 and earlier allows remote authenticated users to execute arbitrary commands via \"escape characters\" in a URL."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-77"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2015:1700",
              "refsource": "REDHAT",
              "tags": [],
              "url": "http://rhn.redhat.com/errata/RHSA-2015-1700.html"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1252813",
              "refsource": "CONFIRM",
              "tags": [],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1252813"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 8.5,
            "confidentialityImpact": "COMPLETE",
            "integrityImpact": "COMPLETE",
            "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C",
            "version": "2.0"
          },
          "exploitabilityScore": 6.8,
          "impactScore": 10.0,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2023-02-13T00:50Z",
      "publishedDate": "2015-09-03T14:59Z"
    }
  }
}

GHSA-CR7H-75CF-WM8X

Vulnerability from github – Published: 2022-05-17 04:08 – Updated: 2022-05-17 04:08

Details

The pcsd web UI in PCS 0.9.139 and earlier allows remote authenticated users to execute arbitrary commands via "escape characters" in a URL.

Show details on source website

JSON

To clipboard Create KEV Entry

{
  "affected": [],
  "aliases": [
    "CVE-2015-5190"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2015-09-03T14:59:00Z",
    "severity": "HIGH"
  },
  "details": "The pcsd web UI in PCS 0.9.139 and earlier allows remote authenticated users to execute arbitrary commands via \"escape characters\" in a URL.",
  "id": "GHSA-cr7h-75cf-wm8x",
  "modified": "2022-05-17T04:08:20Z",
  "published": "2022-05-17T04:08:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5190"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2015:1700"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2015-5190"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1252813"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2015-1700.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

RHSA-2015:1700

Vulnerability from csaf_redhat - Published: 2015-09-01 13:41 - Updated: 2025-11-21 17:53

Summary

Red Hat Security Advisory: pcs security update

Notes

Topic

Updated pcs packages that fix two security issues are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Details

The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. A command injection flaw was found in the pcsd web UI. An attacker able to trick a victim that was logged in to the pcsd web UI into visiting a specially crafted URL could use this flaw to execute arbitrary code with root privileges on the server hosting the web UI. (CVE-2015-5190) A race condition was found in the way the pcsd web UI backend performed authorization of user requests. An attacker could use this flaw to send a request that would be evaluated as originating from a different user, potentially allowing the attacker to perform actions with permissions of a more privileged user. (CVE-2015-5189) These issues were discovered by Tomáš Jelínek of Red Hat. All pcs users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard Create KEV Entry

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Updated pcs packages that fix two security issues are now available for Red\nHat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Important security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "The pcs packages provide a command-line configuration system for the\nPacemaker and Corosync utilities.\n\nA command injection flaw was found in the pcsd web UI. An attacker able to\ntrick a victim that was logged in to the pcsd web UI into visiting a\nspecially crafted URL could use this flaw to execute arbitrary code with\nroot privileges on the server hosting the web UI. (CVE-2015-5190)\n\nA race condition was found in the way the pcsd web UI backend performed\nauthorization of user requests. An attacker could use this flaw to send a\nrequest that would be evaluated as originating from a different user,\npotentially allowing the attacker to perform actions with permissions of a\nmore privileged user. (CVE-2015-5189)\n\nThese issues were discovered by Tom\u00e1\u0161 Jel\u00ednek of Red Hat.\n\nAll pcs users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2015:1700",
        "url": "https://access.redhat.com/errata/RHSA-2015:1700"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "1252805",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1252805"
      },
      {
        "category": "external",
        "summary": "1252813",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1252813"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_1700.json"
      }
    ],
    "title": "Red Hat Security Advisory: pcs security update",
    "tracking": {
      "current_release_date": "2025-11-21T17:53:28+00:00",
      "generator": {
        "date": "2025-11-21T17:53:28+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.12"
        }
      },
      "id": "RHSA-2015:1700",
      "initial_release_date": "2015-09-01T13:41:46+00:00",
      "revision_history": [
        {
          "date": "2015-09-01T13:41:46+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2015-09-01T13:41:46+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-11-21T17:53:28+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux High Availability (v. 6)",
                "product": {
                  "name": "Red Hat Enterprise Linux High Availability (v. 6)",
                  "product_id": "6Server-HighAvailability-6.7.z",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:6::server"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux Resilient Storage (v. 6)",
                "product": {
                  "name": "Red Hat Enterprise Linux Resilient Storage (v. 6)",
                  "product_id": "6Server-ResilientStorage-6.7.z",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:6::server"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux Server High Availability (v. 7)",
                "product": {
                  "name": "Red Hat Enterprise Linux Server High Availability (v. 7)",
                  "product_id": "7Server-HighAvailability-7.1.Z",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:7::server"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux Server Resilient Storage (v. 7)",
                "product": {
                  "name": "Red Hat Enterprise Linux Server Resilient Storage (v. 7)",
                  "product_id": "7Server-ResilientStorage-7.1.Z",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:7::server"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Enterprise Linux"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "pcs-0:0.9.139-9.el6_7.1.x86_64",
                "product": {
                  "name": "pcs-0:0.9.139-9.el6_7.1.x86_64",
                  "product_id": "pcs-0:0.9.139-9.el6_7.1.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/pcs@0.9.139-9.el6_7.1?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "pcs-debuginfo-0:0.9.139-9.el6_7.1.x86_64",
                "product": {
                  "name": "pcs-debuginfo-0:0.9.139-9.el6_7.1.x86_64",
                  "product_id": "pcs-debuginfo-0:0.9.139-9.el6_7.1.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/pcs-debuginfo@0.9.139-9.el6_7.1?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "pcs-debuginfo-0:0.9.137-13.el7_1.4.x86_64",
                "product": {
                  "name": "pcs-debuginfo-0:0.9.137-13.el7_1.4.x86_64",
                  "product_id": "pcs-debuginfo-0:0.9.137-13.el7_1.4.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/pcs-debuginfo@0.9.137-13.el7_1.4?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "python-clufter-0:0.9.137-13.el7_1.4.x86_64",
                "product": {
                  "name": "python-clufter-0:0.9.137-13.el7_1.4.x86_64",
                  "product_id": "python-clufter-0:0.9.137-13.el7_1.4.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-clufter@0.9.137-13.el7_1.4?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "pcs-0:0.9.137-13.el7_1.4.x86_64",
                "product": {
                  "name": "pcs-0:0.9.137-13.el7_1.4.x86_64",
                  "product_id": "pcs-0:0.9.137-13.el7_1.4.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/pcs@0.9.137-13.el7_1.4?arch=x86_64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "pcs-0:0.9.139-9.el6_7.1.src",
                "product": {
                  "name": "pcs-0:0.9.139-9.el6_7.1.src",
                  "product_id": "pcs-0:0.9.139-9.el6_7.1.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/pcs@0.9.139-9.el6_7.1?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "pcs-0:0.9.137-13.el7_1.4.src",
                "product": {
                  "name": "pcs-0:0.9.137-13.el7_1.4.src",
                  "product_id": "pcs-0:0.9.137-13.el7_1.4.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/pcs@0.9.137-13.el7_1.4?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "pcs-debuginfo-0:0.9.139-9.el6_7.1.i686",
                "product": {
                  "name": "pcs-debuginfo-0:0.9.139-9.el6_7.1.i686",
                  "product_id": "pcs-debuginfo-0:0.9.139-9.el6_7.1.i686",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/pcs-debuginfo@0.9.139-9.el6_7.1?arch=i686"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "pcs-0:0.9.139-9.el6_7.1.i686",
                "product": {
                  "name": "pcs-0:0.9.139-9.el6_7.1.i686",
                  "product_id": "pcs-0:0.9.139-9.el6_7.1.i686",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/pcs@0.9.139-9.el6_7.1?arch=i686"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "i686"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "pcs-0:0.9.139-9.el6_7.1.i686 as a component of Red Hat Enterprise Linux High Availability (v. 6)",
          "product_id": "6Server-HighAvailability-6.7.z:pcs-0:0.9.139-9.el6_7.1.i686"
        },
        "product_reference": "pcs-0:0.9.139-9.el6_7.1.i686",
        "relates_to_product_reference": "6Server-HighAvailability-6.7.z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "pcs-0:0.9.139-9.el6_7.1.src as a component of Red Hat Enterprise Linux High Availability (v. 6)",
          "product_id": "6Server-HighAvailability-6.7.z:pcs-0:0.9.139-9.el6_7.1.src"
        },
        "product_reference": "pcs-0:0.9.139-9.el6_7.1.src",
        "relates_to_product_reference": "6Server-HighAvailability-6.7.z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "pcs-0:0.9.139-9.el6_7.1.x86_64 as a component of Red Hat Enterprise Linux High Availability (v. 6)",
          "product_id": "6Server-HighAvailability-6.7.z:pcs-0:0.9.139-9.el6_7.1.x86_64"
        },
        "product_reference": "pcs-0:0.9.139-9.el6_7.1.x86_64",
        "relates_to_product_reference": "6Server-HighAvailability-6.7.z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "pcs-debuginfo-0:0.9.139-9.el6_7.1.i686 as a component of Red Hat Enterprise Linux High Availability (v. 6)",
          "product_id": "6Server-HighAvailability-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.i686"
        },
        "product_reference": "pcs-debuginfo-0:0.9.139-9.el6_7.1.i686",
        "relates_to_product_reference": "6Server-HighAvailability-6.7.z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "pcs-debuginfo-0:0.9.139-9.el6_7.1.x86_64 as a component of Red Hat Enterprise Linux High Availability (v. 6)",
          "product_id": "6Server-HighAvailability-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.x86_64"
        },
        "product_reference": "pcs-debuginfo-0:0.9.139-9.el6_7.1.x86_64",
        "relates_to_product_reference": "6Server-HighAvailability-6.7.z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "pcs-0:0.9.139-9.el6_7.1.i686 as a component of Red Hat Enterprise Linux Resilient Storage (v. 6)",
          "product_id": "6Server-ResilientStorage-6.7.z:pcs-0:0.9.139-9.el6_7.1.i686"
        },
        "product_reference": "pcs-0:0.9.139-9.el6_7.1.i686",
        "relates_to_product_reference": "6Server-ResilientStorage-6.7.z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "pcs-0:0.9.139-9.el6_7.1.src as a component of Red Hat Enterprise Linux Resilient Storage (v. 6)",
          "product_id": "6Server-ResilientStorage-6.7.z:pcs-0:0.9.139-9.el6_7.1.src"
        },
        "product_reference": "pcs-0:0.9.139-9.el6_7.1.src",
        "relates_to_product_reference": "6Server-ResilientStorage-6.7.z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "pcs-0:0.9.139-9.el6_7.1.x86_64 as a component of Red Hat Enterprise Linux Resilient Storage (v. 6)",
          "product_id": "6Server-ResilientStorage-6.7.z:pcs-0:0.9.139-9.el6_7.1.x86_64"
        },
        "product_reference": "pcs-0:0.9.139-9.el6_7.1.x86_64",
        "relates_to_product_reference": "6Server-ResilientStorage-6.7.z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "pcs-debuginfo-0:0.9.139-9.el6_7.1.i686 as a component of Red Hat Enterprise Linux Resilient Storage (v. 6)",
          "product_id": "6Server-ResilientStorage-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.i686"
        },
        "product_reference": "pcs-debuginfo-0:0.9.139-9.el6_7.1.i686",
        "relates_to_product_reference": "6Server-ResilientStorage-6.7.z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "pcs-debuginfo-0:0.9.139-9.el6_7.1.x86_64 as a component of Red Hat Enterprise Linux Resilient Storage (v. 6)",
          "product_id": "6Server-ResilientStorage-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.x86_64"
        },
        "product_reference": "pcs-debuginfo-0:0.9.139-9.el6_7.1.x86_64",
        "relates_to_product_reference": "6Server-ResilientStorage-6.7.z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "pcs-0:0.9.137-13.el7_1.4.src as a component of Red Hat Enterprise Linux Server High Availability (v. 7)",
          "product_id": "7Server-HighAvailability-7.1.Z:pcs-0:0.9.137-13.el7_1.4.src"
        },
        "product_reference": "pcs-0:0.9.137-13.el7_1.4.src",
        "relates_to_product_reference": "7Server-HighAvailability-7.1.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "pcs-0:0.9.137-13.el7_1.4.x86_64 as a component of Red Hat Enterprise Linux Server High Availability (v. 7)",
          "product_id": "7Server-HighAvailability-7.1.Z:pcs-0:0.9.137-13.el7_1.4.x86_64"
        },
        "product_reference": "pcs-0:0.9.137-13.el7_1.4.x86_64",
        "relates_to_product_reference": "7Server-HighAvailability-7.1.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "pcs-debuginfo-0:0.9.137-13.el7_1.4.x86_64 as a component of Red Hat Enterprise Linux Server High Availability (v. 7)",
          "product_id": "7Server-HighAvailability-7.1.Z:pcs-debuginfo-0:0.9.137-13.el7_1.4.x86_64"
        },
        "product_reference": "pcs-debuginfo-0:0.9.137-13.el7_1.4.x86_64",
        "relates_to_product_reference": "7Server-HighAvailability-7.1.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-clufter-0:0.9.137-13.el7_1.4.x86_64 as a component of Red Hat Enterprise Linux Server High Availability (v. 7)",
          "product_id": "7Server-HighAvailability-7.1.Z:python-clufter-0:0.9.137-13.el7_1.4.x86_64"
        },
        "product_reference": "python-clufter-0:0.9.137-13.el7_1.4.x86_64",
        "relates_to_product_reference": "7Server-HighAvailability-7.1.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "pcs-0:0.9.137-13.el7_1.4.src as a component of Red Hat Enterprise Linux Server Resilient Storage (v. 7)",
          "product_id": "7Server-ResilientStorage-7.1.Z:pcs-0:0.9.137-13.el7_1.4.src"
        },
        "product_reference": "pcs-0:0.9.137-13.el7_1.4.src",
        "relates_to_product_reference": "7Server-ResilientStorage-7.1.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "pcs-0:0.9.137-13.el7_1.4.x86_64 as a component of Red Hat Enterprise Linux Server Resilient Storage (v. 7)",
          "product_id": "7Server-ResilientStorage-7.1.Z:pcs-0:0.9.137-13.el7_1.4.x86_64"
        },
        "product_reference": "pcs-0:0.9.137-13.el7_1.4.x86_64",
        "relates_to_product_reference": "7Server-ResilientStorage-7.1.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "pcs-debuginfo-0:0.9.137-13.el7_1.4.x86_64 as a component of Red Hat Enterprise Linux Server Resilient Storage (v. 7)",
          "product_id": "7Server-ResilientStorage-7.1.Z:pcs-debuginfo-0:0.9.137-13.el7_1.4.x86_64"
        },
        "product_reference": "pcs-debuginfo-0:0.9.137-13.el7_1.4.x86_64",
        "relates_to_product_reference": "7Server-ResilientStorage-7.1.Z"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-clufter-0:0.9.137-13.el7_1.4.x86_64 as a component of Red Hat Enterprise Linux Server Resilient Storage (v. 7)",
          "product_id": "7Server-ResilientStorage-7.1.Z:python-clufter-0:0.9.137-13.el7_1.4.x86_64"
        },
        "product_reference": "python-clufter-0:0.9.137-13.el7_1.4.x86_64",
        "relates_to_product_reference": "7Server-ResilientStorage-7.1.Z"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Tom\u00e1\u0161 Jel\u00ednek"
          ],
          "organization": "Red Hat",
          "summary": "This issue was discovered by Red Hat."
        }
      ],
      "cve": "CVE-2015-5189",
      "cwe": {
        "id": "CWE-863",
        "name": "Incorrect Authorization"
      },
      "discovery_date": "2015-08-11T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1252805"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A race condition was found in the way the pcsd web UI backend performed authorization of user requests. An attacker could use this flaw to send a request that would be evaluated as originating from a different user, potentially allowing the attacker to perform actions with permissions of a more privileged user.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "pcs: Incorrect authorization when using pcs web UI",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-HighAvailability-6.7.z:pcs-0:0.9.139-9.el6_7.1.i686",
          "6Server-HighAvailability-6.7.z:pcs-0:0.9.139-9.el6_7.1.src",
          "6Server-HighAvailability-6.7.z:pcs-0:0.9.139-9.el6_7.1.x86_64",
          "6Server-HighAvailability-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.i686",
          "6Server-HighAvailability-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.x86_64",
          "6Server-ResilientStorage-6.7.z:pcs-0:0.9.139-9.el6_7.1.i686",
          "6Server-ResilientStorage-6.7.z:pcs-0:0.9.139-9.el6_7.1.src",
          "6Server-ResilientStorage-6.7.z:pcs-0:0.9.139-9.el6_7.1.x86_64",
          "6Server-ResilientStorage-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.i686",
          "6Server-ResilientStorage-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.x86_64",
          "7Server-HighAvailability-7.1.Z:pcs-0:0.9.137-13.el7_1.4.src",
          "7Server-HighAvailability-7.1.Z:pcs-0:0.9.137-13.el7_1.4.x86_64",
          "7Server-HighAvailability-7.1.Z:pcs-debuginfo-0:0.9.137-13.el7_1.4.x86_64",
          "7Server-HighAvailability-7.1.Z:python-clufter-0:0.9.137-13.el7_1.4.x86_64",
          "7Server-ResilientStorage-7.1.Z:pcs-0:0.9.137-13.el7_1.4.src",
          "7Server-ResilientStorage-7.1.Z:pcs-0:0.9.137-13.el7_1.4.x86_64",
          "7Server-ResilientStorage-7.1.Z:pcs-debuginfo-0:0.9.137-13.el7_1.4.x86_64",
          "7Server-ResilientStorage-7.1.Z:python-clufter-0:0.9.137-13.el7_1.4.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2015-5189"
        },
        {
          "category": "external",
          "summary": "RHBZ#1252805",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1252805"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2015-5189",
          "url": "https://www.cve.org/CVERecord?id=CVE-2015-5189"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-5189",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5189"
        }
      ],
      "release_date": "2015-09-01T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2015-09-01T13:41:46+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "6Server-HighAvailability-6.7.z:pcs-0:0.9.139-9.el6_7.1.i686",
            "6Server-HighAvailability-6.7.z:pcs-0:0.9.139-9.el6_7.1.src",
            "6Server-HighAvailability-6.7.z:pcs-0:0.9.139-9.el6_7.1.x86_64",
            "6Server-HighAvailability-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.i686",
            "6Server-HighAvailability-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.x86_64",
            "6Server-ResilientStorage-6.7.z:pcs-0:0.9.139-9.el6_7.1.i686",
            "6Server-ResilientStorage-6.7.z:pcs-0:0.9.139-9.el6_7.1.src",
            "6Server-ResilientStorage-6.7.z:pcs-0:0.9.139-9.el6_7.1.x86_64",
            "6Server-ResilientStorage-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.i686",
            "6Server-ResilientStorage-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.x86_64",
            "7Server-HighAvailability-7.1.Z:pcs-0:0.9.137-13.el7_1.4.src",
            "7Server-HighAvailability-7.1.Z:pcs-0:0.9.137-13.el7_1.4.x86_64",
            "7Server-HighAvailability-7.1.Z:pcs-debuginfo-0:0.9.137-13.el7_1.4.x86_64",
            "7Server-HighAvailability-7.1.Z:python-clufter-0:0.9.137-13.el7_1.4.x86_64",
            "7Server-ResilientStorage-7.1.Z:pcs-0:0.9.137-13.el7_1.4.src",
            "7Server-ResilientStorage-7.1.Z:pcs-0:0.9.137-13.el7_1.4.x86_64",
            "7Server-ResilientStorage-7.1.Z:pcs-debuginfo-0:0.9.137-13.el7_1.4.x86_64",
            "7Server-ResilientStorage-7.1.Z:python-clufter-0:0.9.137-13.el7_1.4.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2015:1700"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 4.9,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "6Server-HighAvailability-6.7.z:pcs-0:0.9.139-9.el6_7.1.i686",
            "6Server-HighAvailability-6.7.z:pcs-0:0.9.139-9.el6_7.1.src",
            "6Server-HighAvailability-6.7.z:pcs-0:0.9.139-9.el6_7.1.x86_64",
            "6Server-HighAvailability-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.i686",
            "6Server-HighAvailability-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.x86_64",
            "6Server-ResilientStorage-6.7.z:pcs-0:0.9.139-9.el6_7.1.i686",
            "6Server-ResilientStorage-6.7.z:pcs-0:0.9.139-9.el6_7.1.src",
            "6Server-ResilientStorage-6.7.z:pcs-0:0.9.139-9.el6_7.1.x86_64",
            "6Server-ResilientStorage-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.i686",
            "6Server-ResilientStorage-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.x86_64",
            "7Server-HighAvailability-7.1.Z:pcs-0:0.9.137-13.el7_1.4.src",
            "7Server-HighAvailability-7.1.Z:pcs-0:0.9.137-13.el7_1.4.x86_64",
            "7Server-HighAvailability-7.1.Z:pcs-debuginfo-0:0.9.137-13.el7_1.4.x86_64",
            "7Server-HighAvailability-7.1.Z:python-clufter-0:0.9.137-13.el7_1.4.x86_64",
            "7Server-ResilientStorage-7.1.Z:pcs-0:0.9.137-13.el7_1.4.src",
            "7Server-ResilientStorage-7.1.Z:pcs-0:0.9.137-13.el7_1.4.x86_64",
            "7Server-ResilientStorage-7.1.Z:pcs-debuginfo-0:0.9.137-13.el7_1.4.x86_64",
            "7Server-ResilientStorage-7.1.Z:python-clufter-0:0.9.137-13.el7_1.4.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "pcs: Incorrect authorization when using pcs web UI"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Tom\u00e1\u0161 Jel\u00ednek"
          ],
          "organization": "Red Hat",
          "summary": "This issue was discovered by Red Hat."
        }
      ],
      "cve": "CVE-2015-5190",
      "cwe": {
        "id": "CWE-77",
        "name": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
      },
      "discovery_date": "2015-08-11T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1252813"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A command injection flaw was found in the pcsd web UI. An attacker able to trick a victim that was logged in to the pcsd web UI into visiting a specially crafted URL could use this flaw to execute arbitrary code with root privileges on the server hosting the web UI.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "pcs: Command injection with root privileges.",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-HighAvailability-6.7.z:pcs-0:0.9.139-9.el6_7.1.i686",
          "6Server-HighAvailability-6.7.z:pcs-0:0.9.139-9.el6_7.1.src",
          "6Server-HighAvailability-6.7.z:pcs-0:0.9.139-9.el6_7.1.x86_64",
          "6Server-HighAvailability-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.i686",
          "6Server-HighAvailability-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.x86_64",
          "6Server-ResilientStorage-6.7.z:pcs-0:0.9.139-9.el6_7.1.i686",
          "6Server-ResilientStorage-6.7.z:pcs-0:0.9.139-9.el6_7.1.src",
          "6Server-ResilientStorage-6.7.z:pcs-0:0.9.139-9.el6_7.1.x86_64",
          "6Server-ResilientStorage-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.i686",
          "6Server-ResilientStorage-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.x86_64",
          "7Server-HighAvailability-7.1.Z:pcs-0:0.9.137-13.el7_1.4.src",
          "7Server-HighAvailability-7.1.Z:pcs-0:0.9.137-13.el7_1.4.x86_64",
          "7Server-HighAvailability-7.1.Z:pcs-debuginfo-0:0.9.137-13.el7_1.4.x86_64",
          "7Server-HighAvailability-7.1.Z:python-clufter-0:0.9.137-13.el7_1.4.x86_64",
          "7Server-ResilientStorage-7.1.Z:pcs-0:0.9.137-13.el7_1.4.src",
          "7Server-ResilientStorage-7.1.Z:pcs-0:0.9.137-13.el7_1.4.x86_64",
          "7Server-ResilientStorage-7.1.Z:pcs-debuginfo-0:0.9.137-13.el7_1.4.x86_64",
          "7Server-ResilientStorage-7.1.Z:python-clufter-0:0.9.137-13.el7_1.4.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2015-5190"
        },
        {
          "category": "external",
          "summary": "RHBZ#1252813",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1252813"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2015-5190",
          "url": "https://www.cve.org/CVERecord?id=CVE-2015-5190"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-5190",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5190"
        }
      ],
      "release_date": "2015-09-01T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2015-09-01T13:41:46+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "6Server-HighAvailability-6.7.z:pcs-0:0.9.139-9.el6_7.1.i686",
            "6Server-HighAvailability-6.7.z:pcs-0:0.9.139-9.el6_7.1.src",
            "6Server-HighAvailability-6.7.z:pcs-0:0.9.139-9.el6_7.1.x86_64",
            "6Server-HighAvailability-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.i686",
            "6Server-HighAvailability-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.x86_64",
            "6Server-ResilientStorage-6.7.z:pcs-0:0.9.139-9.el6_7.1.i686",
            "6Server-ResilientStorage-6.7.z:pcs-0:0.9.139-9.el6_7.1.src",
            "6Server-ResilientStorage-6.7.z:pcs-0:0.9.139-9.el6_7.1.x86_64",
            "6Server-ResilientStorage-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.i686",
            "6Server-ResilientStorage-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.x86_64",
            "7Server-HighAvailability-7.1.Z:pcs-0:0.9.137-13.el7_1.4.src",
            "7Server-HighAvailability-7.1.Z:pcs-0:0.9.137-13.el7_1.4.x86_64",
            "7Server-HighAvailability-7.1.Z:pcs-debuginfo-0:0.9.137-13.el7_1.4.x86_64",
            "7Server-HighAvailability-7.1.Z:python-clufter-0:0.9.137-13.el7_1.4.x86_64",
            "7Server-ResilientStorage-7.1.Z:pcs-0:0.9.137-13.el7_1.4.src",
            "7Server-ResilientStorage-7.1.Z:pcs-0:0.9.137-13.el7_1.4.x86_64",
            "7Server-ResilientStorage-7.1.Z:pcs-debuginfo-0:0.9.137-13.el7_1.4.x86_64",
            "7Server-ResilientStorage-7.1.Z:python-clufter-0:0.9.137-13.el7_1.4.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2015:1700"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 9.3,
            "confidentialityImpact": "COMPLETE",
            "integrityImpact": "COMPLETE",
            "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          "products": [
            "6Server-HighAvailability-6.7.z:pcs-0:0.9.139-9.el6_7.1.i686",
            "6Server-HighAvailability-6.7.z:pcs-0:0.9.139-9.el6_7.1.src",
            "6Server-HighAvailability-6.7.z:pcs-0:0.9.139-9.el6_7.1.x86_64",
            "6Server-HighAvailability-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.i686",
            "6Server-HighAvailability-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.x86_64",
            "6Server-ResilientStorage-6.7.z:pcs-0:0.9.139-9.el6_7.1.i686",
            "6Server-ResilientStorage-6.7.z:pcs-0:0.9.139-9.el6_7.1.src",
            "6Server-ResilientStorage-6.7.z:pcs-0:0.9.139-9.el6_7.1.x86_64",
            "6Server-ResilientStorage-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.i686",
            "6Server-ResilientStorage-6.7.z:pcs-debuginfo-0:0.9.139-9.el6_7.1.x86_64",
            "7Server-HighAvailability-7.1.Z:pcs-0:0.9.137-13.el7_1.4.src",
            "7Server-HighAvailability-7.1.Z:pcs-0:0.9.137-13.el7_1.4.x86_64",
            "7Server-HighAvailability-7.1.Z:pcs-debuginfo-0:0.9.137-13.el7_1.4.x86_64",
            "7Server-HighAvailability-7.1.Z:python-clufter-0:0.9.137-13.el7_1.4.x86_64",
            "7Server-ResilientStorage-7.1.Z:pcs-0:0.9.137-13.el7_1.4.src",
            "7Server-ResilientStorage-7.1.Z:pcs-0:0.9.137-13.el7_1.4.x86_64",
            "7Server-ResilientStorage-7.1.Z:pcs-debuginfo-0:0.9.137-13.el7_1.4.x86_64",
            "7Server-ResilientStorage-7.1.Z:python-clufter-0:0.9.137-13.el7_1.4.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "pcs: Command injection with root privileges."
    }
  ]
}

FKIE_CVE-2015-5190

Vulnerability from fkie_nvd - Published: 2015-09-03 14:59 - Updated: 2025-04-12 10:46

Severity ?

Summary

The pcsd web UI in PCS 0.9.139 and earlier allows remote authenticated users to execute arbitrary commands via "escape characters" in a URL.

References

	URL	Tags
	secalert@redhat.com	http://rhn.redhat.com/errata/RHSA-2015-1700.html
	secalert@redhat.com	https://bugzilla.redhat.com/show_bug.cgi?id=1252813
	af854a3a-2127-422b-91ae-364da2661108	http://rhn.redhat.com/errata/RHSA-2015-1700.html
	af854a3a-2127-422b-91ae-364da2661108	https://bugzilla.redhat.com/show_bug.cgi?id=1252813

Impacted products

	Vendor	Product	Version
	pacemaker\/corosync_configuration_system_project	pacemaker\/corosync_configuration_system	*

JSON

To clipboard Create KEV Entry

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:pacemaker\\/corosync_configuration_system_project:pacemaker\\/corosync_configuration_system:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "69E6BE70-8D68-4908-B755-AC7509BC9B40",
              "versionEndIncluding": "0.9.139",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The pcsd web UI in PCS 0.9.139 and earlier allows remote authenticated users to execute arbitrary commands via \"escape characters\" in a URL."
    },
    {
      "lang": "es",
      "value": "Vulnerabilidad en la web UI pcsd en PCS 0.9.139 y en versiones anteriores, permite a usuarios remotos autenticados ejecutar comandos arbitrarios a trav\u00e9s de \u0027caracteres de escape\u0027 en una URL."
    }
  ],
  "id": "CVE-2015-5190",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 8.5,
          "confidentialityImpact": "COMPLETE",
          "integrityImpact": "COMPLETE",
          "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 6.8,
        "impactScore": 10.0,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2015-09-03T14:59:04.337",
  "references": [
    {
      "source": "secalert@redhat.com",
      "url": "http://rhn.redhat.com/errata/RHSA-2015-1700.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1252813"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://rhn.redhat.com/errata/RHSA-2015-1700.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1252813"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-77"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2015-5190 (GCVE-0-2015-5190)

CNVD-2015-05862

GSD-2015-5190

GHSA-CR7H-75CF-WM8X

RHSA-2015:1700

FKIE_CVE-2015-5190

Tags

Sightings

Nomenclature