CVE-2010-2496: 
Linux Debian vulnerability analysis and mitigation

stonith-ng in pacemaker and cluster-glue contained a security vulnerability (CVE-2010-2496) where passwords were passed as command-line parameters, exposing sensitive authentication credentials. The vulnerability was discovered in July 2010 and affected pacemaker versions before 1.1.3 and cluster-glue versions before 1.0.6. This security issue impacted the High Availability (HA) stack components, specifically the STONITH (Shoot The Other Node In The Head) functionality (SUSE Bugzilla).

The vulnerability existed in the stonith-ng code where fence_legacy would execute the 'stonith' binary while passing stonith parameters via the command line. This implementation flaw made passwords visible in process listings, allowing local users to view power switch passwords. The issue received a CVSS v3.1 Base Score of 5.5 (MEDIUM) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, and a CVSS v2.0 Base Score of 2.1 (LOW) (NVD).

The vulnerability allowed local attackers to gain access to passwords of the HA stack, potentially enabling them to influence cluster operations. Since power switch passwords were exposed, attackers could potentially manipulate the cluster's power management capabilities, leading to unauthorized control over node fencing operations (SUSE Bugzilla).

The vulnerability was fixed in cluster-glue version 1.0.6 and pacemaker version 1.1.3. The fix involved modifying the stonith binary to accept configuration from environment variables instead of command-line parameters, and updating fencelegacy to use this new secure method. Users were advised to upgrade to these or newer versions to resolve the security issue ([SUSE Bugzilla](https://bugzilla.suse.com/showbug.cgi?id=CVE-2010-2496)).