{"api_version":"1","generated_at":"2026-04-23T06:19:53+00:00","cve":"CVE-2022-1049","urls":{"html":"https://cve.report/CVE-2022-1049","api":"https://cve.report/api/cve/CVE-2022-1049.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-1049","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-1049"},"summary":{"title":"CVE-2022-1049","description":"A flaw was found in the Pacemaker configuration tool (pcs). The pcs daemon was allowing expired accounts, and accounts with expired passwords to login when using PAM authentication. Therefore, unprivileged expired accounts that have been denied access could still login.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2022-03-25 19:15:00","updated_at":"2023-12-14 21:40:00"},"problem_types":["CWE-287"],"metrics":[],"references":[{"url":"https://www.debian.org/security/2022/dsa-5226","name":"DSA-5226","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-5226-1 pcs","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://access.redhat.com/security/cve/CVE-2022-1049","name":"https://access.redhat.com/security/cve/CVE-2022-1049","refsource":"MISC","tags":[],"title":"Red Hat Customer Portal - Access to 24x7 support and knowledge","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2022/09/msg00017.html","name":"[debian-lts-announce] 20220914 [SECURITY] [DLA 3108-1] pcs security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 3108-1] pcs security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://huntr.dev/bounties/7aa921fc-a568-4fd8-96f4-7cd826246aa5/","name":"https://huntr.dev/bounties/7aa921fc-a568-4fd8-96f4-7cd826246aa5/","refsource":"MISC","tags":[],"title":"Improper Authorization  vulnerability found in pcs","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/errata/RHSA-2022:7935","name":"https://access.redhat.com/errata/RHSA-2022:7935","refsource":"MISC","tags":[],"title":"Red Hat Customer Portal - Access to 24x7 support and knowledge","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/errata/RHSA-2022:7447","name":"https://access.redhat.com/errata/RHSA-2022:7447","refsource":"MISC","tags":[],"title":"Red Hat Customer Portal - Access to 24x7 support and knowledge","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2066629","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2066629","refsource":"MISC","tags":[],"title":"2066629 – (CVE-2022-1049) CVE-2022-1049 pcs: improper authentication via PAM","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://huntr.dev/bounties/7aa921fc-a568-4fd8-96f4-7cd826246aa5","name":"https://huntr.dev/bounties/7aa921fc-a568-4fd8-96f4-7cd826246aa5","refsource":"MISC","tags":[],"title":"Improper Authorization  vulnerability found in pcs","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-1049","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-1049","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"1049","vulnerable":"1","versionEndIncluding":"0.11.2","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"clusterlabs","cpe5":"pcs","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"1049","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"1049","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"11.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-1049","qid":"160316","title":"Oracle Enterprise Linux Security Update for pcs (ELSA-2022-10007)"},{"cve":"CVE-2022-1049","qid":"160336","title":"Oracle Enterprise Linux Security Update for pcs (ELSA-2022-10031)"},{"cve":"CVE-2022-1049","qid":"180998","title":"Debian Security Update for pcs (DSA 5226-1)"},{"cve":"CVE-2022-1049","qid":"181054","title":"Debian Security Update for pcs (DLA 3108-1)"},{"cve":"CVE-2022-1049","qid":"184986","title":"Debian Security Update for pcs (CVE-2022-1049)"},{"cve":"CVE-2022-1049","qid":"240832","title":"Red Hat Update for pcs security (RHSA-2022:7447)"},{"cve":"CVE-2022-1049","qid":"240911","title":"Red Hat Update for pcs security (RHSA-2022:7935)"},{"cve":"CVE-2022-1049","qid":"940745","title":"AlmaLinux Security Update for pcs (ALSA-2022:7447)"},{"cve":"CVE-2022-1049","qid":"940840","title":"AlmaLinux Security Update for pcs (ALSA-2022:7935)"},{"cve":"CVE-2022-1049","qid":"960307","title":"Rocky Linux Security Update for pcs (RLSA-2022:7447)"},{"cve":"CVE-2022-1049","qid":"960491","title":"Rocky Linux Security Update for pcs (RLSA-2022:7935)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2022-1049","ASSIGNER":"secalert@redhat.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"A flaw was found in the Pacemaker configuration tool (pcs). The pcs daemon was allowing expired accounts, and accounts with expired passwords to login when using PAM authentication. Therefore, unprivileged expired accounts that have been denied access could still login."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-287","cweId":"CWE-287"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"clusterlabs/pcs","version":{"version_data":[{"version_affected":"=","version_value":"pcs versions <= v0.11.2"}]}}]}}]}},"references":{"reference_data":[{"url":"https://huntr.dev/bounties/7aa921fc-a568-4fd8-96f4-7cd826246aa5","refsource":"MISC","name":"https://huntr.dev/bounties/7aa921fc-a568-4fd8-96f4-7cd826246aa5"},{"url":"https://lists.debian.org/debian-lts-announce/2022/09/msg00017.html","refsource":"MISC","name":"https://lists.debian.org/debian-lts-announce/2022/09/msg00017.html"},{"url":"https://www.debian.org/security/2022/dsa-5226","refsource":"MISC","name":"https://www.debian.org/security/2022/dsa-5226"}]}},"nvd":{"publishedDate":"2022-03-25 19:15:00","lastModifiedDate":"2023-12-14 21:40:00","problem_types":["CWE-287"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6.5},"severity":"MEDIUM","exploitabilityScore":8,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:clusterlabs:pcs:*:*:*:*:*:*:*:*","versionEndIncluding":"0.11.2","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}