VYPR

rpm package

almalinux/pcs

pkg:rpm/almalinux/pcs

Vulnerabilities (33)

  • CVE-2024-26141Feb 28, 2024
    affected < 0.11.7-2.el9_4fixed 0.11.7-2.el9_4

    Rack is a modular Ruby web server interface. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the `Rack::File` middlewa

  • CVE-2024-25126Feb 28, 2024
    affected < 0.11.7-2.el9_4fixed 0.11.7-2.el9_4

    Rack is a modular Ruby web server interface. Carefully crafted content type headers can cause Rack’s media type parser to take much longer than expected, leading to a possible denial of service vulnerability (ReDos 2nd degree polynomial). This vulnerability is patched in 3.0.9.1

  • CVE-2024-26146Feb 28, 2024
    affected < 0.11.7-2.el9_4fixed 0.11.7-2.el9_4

    Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack appl

  • CVE-2023-2319CriMay 17, 2023
    affected < 0.11.4-7.el9_2fixed 0.11.4-7.el9_2

    It was discovered that an update for PCS package in RHBA-2023:2151 erratum released as part of Red Hat Enterprise Linux 9.2 failed to include the fix for the Webpack issue CVE-2023-28154 (for PCS package), which was previously addressed in Red Hat Enterprise Linux 9.1 via erratum

  • CVE-2023-28154CriMar 13, 2023
    affected < 0.11.3-4.el9_1.3fixed 0.11.3-4.el9_1.3

    Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.

  • CVE-2023-27530HigMar 10, 2023
    affected < 0.11.4-7.el9_2fixed 0.11.4-7.el9_2

    A DoS vulnerability exists in Rack <v3.0.4.2, <v2.2.6.3, <v2.1.4.3 and <v2.0.9.3 within in the Multipart MIME parsing code in which could allow an attacker to craft requests that can be abuse to cause multipart parsing to take longer than expected.

  • CVE-2022-45442HigNov 28, 2022
    affected < 0.10.14-5.el8_7.2.almafixed 0.10.14-5.el8_7.2.alma

    Sinatra is a domain-specific language for creating web applications in Ruby. An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response whe

  • CVE-2022-38900HigNov 28, 2022
    affected < 0.11.6-3.el9fixed 0.11.6-3.el9

    decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.

  • CVE-2022-2735HigSep 6, 2022
    affected < 0.11.1-10.el9_0.2fixed 0.11.1-10.el9_0.2

    A vulnerability was found in the PCS project. This issue occurs due to incorrect permissions on a Unix socket used for internal communication between PCS daemons. A privilege escalation could happen by obtaining an authentication token for a hacluster user. With the "hacluster" t

  • CVE-2022-29970HigMay 2, 2022
    affected < 0.11.1-10.el9fixed 0.11.1-10.el9

    Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files.

  • CVE-2022-1049HigMar 25, 2022
    affected < 0.10.14-5.el8.almafixed 0.10.14-5.el8.alma

    A flaw was found in the Pacemaker configuration tool (pcs). The pcs daemon was allowing expired accounts, and accounts with expired passwords to login when using PAM authentication. Therefore, unprivileged expired accounts that have been denied access could still login.

  • CVE-2020-7656MedMay 19, 2020
    affected < 0.10.10-4.el8.almafixed 0.10.10-4.el8.alma

    jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "", which results in the enclosed script logic to be executed.

  • CVE-2020-11023MedKEVApr 29, 2020
    affected < 0.10.10-4.el8.almafixed 0.10.10-4.el8.alma

    In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This pro

Page 2 of 2