#VU65903 Permissions, Privileges, and Access Controls in booth (Debian package) - CVE-2022-2553


Vulnerability identifier: #VU65903

Vulnerability risk: Low

CVSSv4.0: 0.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-2553

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
booth (Debian package)
Operating systems & Components / Operating system package or component

Vendor: Debian

Description

The vulnerability allows a remote user to bypass certain security restrictions.

The vulnerability exists due to application does not properly restrict intra-node communication when configuring the authfile configuration directive. A remote node with incorrect authentication key can continue communication with the other node members.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

booth (Debian package): before 1.0-162-g27f917f-2+deb10u1

External links
https://github.com/ClusterLabs/booth/commit/35bf0b7b048d715f671eb68974fb6b4af6528c67
https://www.debian.org/security/2022/dsa-5194

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Ubuntu update for booth
Fedora 35 update for booth
Fedora 36 update for booth
Anolis OS update for booth
Red Hat Enterprise Linux High Availability 9 update for booth
Red Hat Enterprise Linux High Availability 8 update for booth
Red Hat Enterprise Linux High Availability 8.4 update for booth
SUSE update for booth
SUSE update for booth
SUSE update for booth