pcs is vulnerable to information disclosure. The REST interface does not properly remove the pcs
debug argument from the /run_pcs
query, allowing a remote attacker to obtain confidential information, potentially containing a valid token and allowing for elevation of privileges.
access.redhat.com/documentation/en-US/red_hat_enterprise_linux/6/html/6.10_release_notes/index.html
access.redhat.com/documentation/en-US/red_hat_enterprise_linux/6/html/6.10_technical_notes/index.html
access.redhat.com/errata/RHSA-2018:1060
access.redhat.com/errata/RHSA-2018:1927
access.redhat.com/security/updates/classification/#moderate
bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1086
www.debian.org/security/2018/dsa-4169