pcs daemon CVE-2016-0721 Session Fixation Vulnerability

pcs daemon is prone to a session-fixation vulnerability.

An attacker can exploit this issue to hijack an arbitrary session and gain unauthorized access to the affected application.

Versions prior to pcs daemon 0.9.157 are vulnerable.

Information

Bugtraq ID: 97977
Class: Unknown
CVE: CVE-2016-0721

Remote: Yes
Local: No
Published: Apr 21 2017 12:00AM
Updated: Apr 24 2017 09:08PM
Credit: The vendor reported this issue.
Vulnerable: Redhat Enterprise Linux Resilient Storage 7
Redhat Enterprise Linux High Availability 7
Redhat Enterprise Linux 6
+ Trustix Secure Enterprise Linux 2.0
+ Trustix Secure Linux 2.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
Fedora Pacemaker Configuration System 0.9.156
Fedora Pacemaker Configuration System 0.9.137

Not Vulnerable: Fedora Pacemaker Configuration System 0.9.157

Exploit

To exploit these issues an attacker entices an unsuspecting user into following a malicious URI.

References:

• pcs Homepage (pcs)
  
• pcs: cookies are not invalidated upon logout (Redhat)
  
• RHSA-2016:2596-1: pcs security, bug fix, and enhancement update (Red Hat)
  

Source: www.securityfocus.com