Fluid Attacks Database

Description

pcs before versions 0.9.164 and 0.10 is vulnerable to a debug parameter removal bypass. REST interface of the pcsd service did not properly remove the pcs debug argument from the /run_pcs query, possibly disclosing sensitive information. A remote attacker with a valid token could use this flaw to elevate their privilege.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	pcs	>=0 <0.9.164-1	0.9.164-1
debian 14	pcs	>=0 <0.9.164-1	0.9.164-1
debian 11	pcs	>=0 <0.9.164-1	0.9.164-1
debian 12	pcs	>=0 <0.9.164-1	0.9.164-1
rpm rhel6	pcs	<0:0.9.155-3.el6	0:0.9.155-3.el6
rpm rhel7	pcs	<0:0.9.162-5.el7_5.1	0:0.9.162-5.el7_5.1

Aliases

1. CVE-2018-10862. NVD-2018-10863. OSV-DEBIAN-2018-10864. OSV-2018-10865. SECURITY-TRACKER-CVE-2018-1086

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.