{
  "threat_severity" : "Moderate",
  "public_date" : "2015-09-01T00:00:00Z",
  "bugzilla" : {
    "description" : "pcs: Incorrect authorization when using pcs web UI",
    "id" : "1252805",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1252805"
  },
  "cvss" : {
    "cvss_base_score" : "4.9",
    "cvss_scoring_vector" : "AV:N/AC:M/Au:S/C:P/I:P/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-863",
  "details" : [ "Race condition in pcsd in PCS 0.9.139 and earlier uses a global variable to validate usernames, which allows remote authenticated users to gain privileges by sending a command that is checked for security after another user is authenticated.", "A race condition was found in the way the pcsd web UI backend performed authorization of user requests. An attacker could use this flaw to send a request that would be evaluated as originating from a different user, potentially allowing the attacker to perform actions with permissions of a more privileged user." ],
  "acknowledgement" : "This issue was discovered by Tomáš Jelínek (Red Hat).",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "release_date" : "2015-09-01T00:00:00Z",
    "advisory" : "RHSA-2015:1700",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "package" : "pcs-0:0.9.139-9.el6_7.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2015-09-01T00:00:00Z",
    "advisory" : "RHSA-2015:1700",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "pcs-0:0.9.137-13.el7_1.4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2015-5189\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-5189" ],
  "name" : "CVE-2015-5189",
  "csaw" : false
}