{"id":"CVE-2022-2735","details":"A vulnerability was found in the PCS project. This issue occurs due to incorrect permissions on a Unix socket used for internal communication between PCS daemons. A privilege escalation could happen by obtaining an authentication token for a hacluster user. With the \"hacluster\" token, this flaw allows an attacker to have complete control over the cluster managed by PCS.","modified":"2026-04-10T04:46:48.077521Z","published":"2022-09-06T18:15:14.880Z","related":["ALSA-2022:6313","ALSA-2022:6314"],"references":[{"type":"ADVISORY","url":"https://www.debian.org/security/2022/dsa-5226"},{"type":"ADVISORY","url":"https://www.openwall.com/lists/oss-security/2022/09/01/4"},{"type":"ADVISORY","url":"https://access.redhat.com/security/cve/CVE-2022-2735"},{"type":"FIX","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2116815"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/clusterlabs/pcs","events":[{"introduced":"148ba94058d0ff2fa5eccf17efe1d0d2554513f0"},{"last_affected":"5c663dbcb73493023f6be40d34688d363e921c22"}],"database_specific":{"versions":[{"introduced":"0.10.5"},{"last_affected":"0.11.3"}]}}],"versions":["0.10.5","0.10.6","0.10.7","0.10.8","v0.10.10","v0.10.7","v0.10.8","v0.10.9","v0.11.1","v0.11.1.alpha.1","v0.11.2","v0.11.3"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"11.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-2735.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}