{"id":"CVE-2022-2735","details":"A vulnerability was found in the PCS project. This issue occurs due to incorrect permissions on a Unix socket used for internal communication between PCS daemons. A privilege escalation could happen by obtaining an authentication token for a hacluster user. With the \"hacluster\" token, this flaw allows an attacker to have complete control over the cluster managed by PCS.","modified":"2026-05-18T05:53:43.623061991Z","published":"2022-09-06T17:18:51Z","related":["ALSA-2022:6313","ALSA-2022:6314"],"database_specific":{"unresolved_ranges":[{"extracted_events":[{"last_affected":"Affects v0.10.5 and later including all 0.11.x."}],"source":"AFFECTED_FIELD"}],"cna_assigner":"redhat","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/2xxx/CVE-2022-2735.json","cwe_ids":["CWE-276"]},"references":[{"type":"WEB","url":"https://access.redhat.com/security/cve/CVE-2022-2735"},{"type":"WEB","url":"https://www.openwall.com/lists/oss-security/2022/09/01/4"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/2xxx/CVE-2022-2735.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-2735"},{"type":"ADVISORY","url":"https://www.debian.org/security/2022/dsa-5226"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2116815"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/clusterlabs/pcs","events":[{"introduced":"148ba94058d0ff2fa5eccf17efe1d0d2554513f0"},{"last_affected":"5c663dbcb73493023f6be40d34688d363e921c22"}],"database_specific":{"extracted_events":[{"introduced":"0.10.5"},{"last_affected":"0.11.3"}],"cpe":"cpe:2.3:a:clusterlabs:pcs:*:*:*:*:*:*:*:*","source":"CPE_FIELD"}}],"versions":["v0.11.3","v0.11.2","v0.11.1","v0.11.1.alpha.1","v0.10.10","v0.10.9","v0.10.8","0.10.8","v0.10.7","0.10.7","0.10.6","0.10.5"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-2735.json"}}],"schema_version":"1.7.5"}