{"api_version":"1","generated_at":"2026-04-23T04:32:56+00:00","cve":"CVE-2020-25654","urls":{"html":"https://cve.report/CVE-2020-25654","api":"https://cve.report/api/cve/CVE-2020-25654.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-25654","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-25654"},"summary":{"title":"CVE-2020-25654","description":"An ACL bypass flaw was found in pacemaker. An attacker having a local account on the cluster and in the haclient group could use IPC communication with various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went through the configuration.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2020-11-24 20:15:00","updated_at":"2023-09-29 11:15:00"},"problem_types":["NVD-CWE-Other"],"metrics":[],"references":[{"url":"https://lists.debian.org/debian-lts-announce/2021/01/msg00007.html","name":"[debian-lts-announce] 20210106 [SECURITY] [DLA 2519-1] pacemaker security update","refsource":"MLIST","tags":["Mailing List","Third Party Advisory"],"title":"[SECURITY] [DLA 2519-1] pacemaker security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://seclists.org/oss-sec/2020/q4/83","name":"https://seclists.org/oss-sec/2020/q4/83","refsource":"MISC","tags":["Mailing List","Third Party Advisory"],"title":"oss-sec: CVE-2020-25654 pacemaker: ACL restrictions bypass","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1888191","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1888191","refsource":"MISC","tags":["Issue Tracking","Third Party Advisory"],"title":"1888191 – (CVE-2020-25654) CVE-2020-25654 pacemaker: ACL restrictions bypass","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.clusterlabs.org/pipermail/users/2020-October/027840.html","name":"https://lists.clusterlabs.org/pipermail/users/2020-October/027840.html","refsource":"MISC","tags":["Mailing List","Vendor Advisory"],"title":"[ClusterLabs] FYI: Pacemaker vulnerability CVE-2020-25654","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/202309-09","name":"GLSA-202309-09","refsource":"GENTOO","tags":[],"title":"Pacemaker: Multiple Vulnerabilities (GLSA 202309-09) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-25654","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-25654","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2020","cve_id":"25654","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"clusterlabs","cpe5":"pacemaker","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"25654","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"clusterlabs","cpe5":"pacemaker","cpe6":"2.0.5","cpe7":"rc1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"25654","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"clusterlabs","cpe5":"pacemaker","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"25654","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"clusterlabs","cpe5":"pacemaker","cpe6":"2.0.5","cpe7":"rc1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"25654","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"25654","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2020-25654","qid":"159659","title":"Oracle Enterprise Linux Security Update for pacemaker (ELSA-2020-5453)"},{"cve":"CVE-2020-25654","qid":"375682","title":"IBM MQ Control List Bypass Vulnerability(6464787)"},{"cve":"CVE-2020-25654","qid":"377400","title":"Alibaba Cloud Linux Security Update for pacemaker (ALINUX3-SA-2021:0004)"},{"cve":"CVE-2020-25654","qid":"710753","title":"Gentoo Linux Pacemaker Multiple Vulnerabilities (GLSA 202309-09)"},{"cve":"CVE-2020-25654","qid":"940322","title":"AlmaLinux Security Update for pacemaker (ALSA-2020:5487)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2020-25654","ASSIGNER":"secalert@redhat.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"pacemaker","version":{"version_data":[{"version_value":"pacemaker 1.1.24-rc1, pacemaker 2.0.5-rc2"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-284"}]}]},"references":{"reference_data":[{"refsource":"MISC","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1888191","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1888191"},{"refsource":"MISC","name":"https://seclists.org/oss-sec/2020/q4/83","url":"https://seclists.org/oss-sec/2020/q4/83"},{"refsource":"MISC","name":"https://lists.clusterlabs.org/pipermail/users/2020-October/027840.html","url":"https://lists.clusterlabs.org/pipermail/users/2020-October/027840.html"},{"refsource":"MLIST","name":"[debian-lts-announce] 20210106 [SECURITY] [DLA 2519-1] pacemaker security update","url":"https://lists.debian.org/debian-lts-announce/2021/01/msg00007.html"},{"refsource":"GENTOO","name":"GLSA-202309-09","url":"https://security.gentoo.org/glsa/202309-09"}]},"description":{"description_data":[{"lang":"eng","value":"An ACL bypass flaw was found in pacemaker. An attacker having a local account on the cluster and in the haclient group could use IPC communication with various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went through the configuration."}]}},"nvd":{"publishedDate":"2020-11-24 20:15:00","lastModifiedDate":"2023-09-29 11:15:00","problem_types":["NVD-CWE-Other"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":7.2,"baseSeverity":"HIGH"},"exploitabilityScore":1.2,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:C/I:C/A:C","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE","baseScore":9},"severity":"HIGH","exploitabilityScore":8,"impactScore":10,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:clusterlabs:pacemaker:2.0.5:rc1:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:clusterlabs:pacemaker:*:*:*:*:*:*:*:*","versionEndExcluding":"1.1.23","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:clusterlabs:pacemaker:*:*:*:*:*:*:*:*","versionStartIncluding":"2.0.0","versionEndExcluding":"2.0.3","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"25654","Ordinal":"187071","Title":"CVE-2020-25654","CVE":"CVE-2020-25654","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"25654","Ordinal":"1","NoteData":"An ACL bypass flaw was found in pacemaker. An attacker having a local account on the cluster and in the haclient group could use IPC communication with various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went through the configuration.","Type":"Description","Title":null},{"CveYear":"2020","CveId":"25654","Ordinal":"2","NoteData":"2020-11-24","Type":"Other","Title":"Published"},{"CveYear":"2020","CveId":"25654","Ordinal":"3","NoteData":"2021-01-06","Type":"Other","Title":"Modified"}]}}}