CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 0CVE-2018-14651 – glusterfs: glusterfs server exploitable via symlinks to relative paths
https://notcve.org/view.php?id=CVE-2018-14651
31 Oct 2018 — It was found that the fix for CVE-2018-10927, CVE-2018-10928, CVE-2018-10929, CVE-2018-10930, and CVE-2018-10926 was incomplete. A remote, authenticated attacker could use one of these flaws to execute arbitrary code, create arbitrary files, or cause denial of service on glusterfs server nodes via symlinks to relative paths. Se ha descubierto que la solución para CVE-2018-10927, CVE-2018-10928, CVE-2018-10929, CVE-2018-10930 y CVE-2018-10926 estaba incompleta. Un atacante autenticado remoto podría emplear u... • https://access.redhat.com/errata/RHSA-2018:3431 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 6.5EPSS: 0%CPEs: 9EXPL: 0CVE-2018-14660 – glusterfs: Repeat use of "GF_META_LOCK_KEY" xattr allows for memory exhaustion
https://notcve.org/view.php?id=CVE-2018-14660
31 Oct 2018 — A flaw was found in glusterfs server through versions 4.1.4 and 3.1.2 which allowed repeated usage of GF_META_LOCK_KEY xattr. A remote, authenticated attacker could use this flaw to create multiple locks for single inode by using setxattr repetitively resulting in memory exhaustion of glusterfs server node. Se ha encontrado un error en el servidor glusterfs hasta las versiones 4.1.4 y 3.1.2 que permitía el uso repetido del xattr GF_META_LOCK_KEY. Un atacante autenticado remoto podría emplear este error para... • https://access.redhat.com/errata/RHSA-2018:3431 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2018-10924 – Gentoo Linux Security Advisory 201904-06
https://notcve.org/view.php?id=CVE-2018-10924
04 Sep 2018 — It was discovered that fsync(2) system call in glusterfs client code leaks memory. An authenticated attacker could use this flaw to launch a denial of service attack by making gluster clients consume memory of the host machine. Se ha descubierto que la llamada del sistema fsync(2) en el código del cliente glusterfs filtra memoria. Un atacante autenticado podría empelar este error para lanzar un ataque de denegación de servicio (DoS) haciendo que los clientes gluster consuman la memoria de la máquina host. M... • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00035.html • CWE-400: Uncontrolled Resource Consumption CWE-772: Missing Release of Resource after Effective Lifetime •
CVSS: 8.1EPSS: 0%CPEs: 8EXPL: 0CVE-2018-10927 – glusterfs: File status information leak and denial of service
https://notcve.org/view.php?id=CVE-2018-10927
04 Sep 2018 — A flaw was found in RPC request using gfs3_lookup_req in glusterfs server. An authenticated attacker could use this flaw to leak information and execute remote denial of service by crashing gluster brick process. Se ha detectado un error en las peticiones RPC que emplean gfs3_lookup_req en el servidor glusterfs. Un atacante autenticado podría emplear este error para filtrar información y ejecutar una denegación de servicio (DoS) remota provocando el cierre inesperado del proceso brick de gluster. The redhat... • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00035.html • CWE-20: Improper Input Validation CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 8EXPL: 0CVE-2018-10904 – glusterfs: Unsanitized file names in debug/io-stats translator can allow remote attackers to execute arbitrary code
https://notcve.org/view.php?id=CVE-2018-10904
04 Sep 2018 — It was found that glusterfs server does not properly sanitize file paths in the "trusted.io-stats-dump" extended attribute which is used by the "debug/io-stats" translator. Attacker can use this flaw to create files and execute arbitrary code. To exploit this attacker would require sufficient access to modify the extended attributes of files on a gluster volume. Se ha detectado que el servidor glusterfs no sanea correctamente las rutas de archivo en el atributo extendido "trusted.io-stats-dump", empleado po... • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00035.html • CWE-426: Untrusted Search Path •
CVSS: 8.8EPSS: 0%CPEs: 10EXPL: 0CVE-2018-10926 – glusterfs: Device files can be created in arbitrary locations
https://notcve.org/view.php?id=CVE-2018-10926
04 Sep 2018 — A flaw was found in RPC request using gfs3_mknod_req supported by glusterfs server. An authenticated attacker could use this flaw to write files to an arbitrary location via path traversal and execute arbitrary code on a glusterfs server node. Se ha detectado un error en las peticiones RPC que emplean gfs3_mknod_req soportadas por el servidor glusterfs. Un atacante autenticado podría emplear este error para escribir archivos en una ubicación arbitraria mediante un salto de directorio y ejecutar código arbit... • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00035.html • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.1EPSS: 0%CPEs: 8EXPL: 0CVE-2018-10923 – glusterfs: I/O to arbitrary devices on storage server
https://notcve.org/view.php?id=CVE-2018-10923
04 Sep 2018 — It was found that the "mknod" call derived from mknod(2) can create files pointing to devices on a glusterfs server node. An authenticated attacker could use this to create an arbitrary device and read data from any device attached to the glusterfs server node. Se ha detectado que la llamada "mknod" derivada de mknod(2) puede crear archivos que señalan a dispositivos en un nodo del servidor glusterfs. Un atacante autenticado podría emplearlo para crear un dispositivo arbitrario y leer datos desde cualquier ... • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00035.html • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 12EXPL: 0CVE-2018-10911 – glusterfs: Improper deserialization in dict.c:dict_unserialize() can allow attackers to read arbitrary memory
https://notcve.org/view.php?id=CVE-2018-10911
04 Sep 2018 — A flaw was found in the way dic_unserialize function of glusterfs does not handle negative key length values. An attacker could use this flaw to read memory from other locations into the stored dict value. Se ha detectado un error en la forma en la que la función dic_unserialize en glusterfs no gestiona los valores de longitud de clave negativos. Un atacante podría utilizar este error para leer la memoria de otras ubicaciones en el valor dict almacenado. A flaw was found in dict.c:dict_unserialize function ... • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00035.html • CWE-190: Integer Overflow or Wraparound CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-502: Deserialization of Untrusted Data •
CVSS: 6.5EPSS: 0%CPEs: 8EXPL: 0CVE-2018-10913 – glusterfs: Information Exposure in posix_get_file_contents function in posix-helpers.c
https://notcve.org/view.php?id=CVE-2018-10913
04 Sep 2018 — An information disclosure vulnerability was discovered in glusterfs server. An attacker could issue a xattr request via glusterfs FUSE to determine the existence of any file. Se ha descubierto una vulnerabilidad de divulgación de información en el servidor glusterfs. Un atacante podría lanzar una petición xattr mediante glusterfs FUSE para determinar la existencia de algún archivo. The redhat-virtualization-host packages provide the Red Hat Virtualization Host. • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00035.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 8.8EPSS: 0%CPEs: 8EXPL: 0CVE-2018-10907 – glusterfs: Stack-based buffer overflow in server-rpc-fops.c allows remote attackers to execute arbitrary code
https://notcve.org/view.php?id=CVE-2018-10907
04 Sep 2018 — It was found that glusterfs server is vulnerable to multiple stack based buffer overflows due to functions in server-rpc-fopc.c allocating fixed size buffers using 'alloca(3)'. An authenticated attacker could exploit this by mounting a gluster volume and sending a string longer that the fixed buffer size to cause crash or potential code execution. Se ha detectado que el servidor glusterfs es vulnerable a múltiples desbordamientos de búfer basados en pila debido a que las funciones en server-rpc-fopc.c asign... • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00035.html • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •