Page 4 of 20 results (0.014 seconds)

CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0

glusterfs is vulnerable to privilege escalation on gluster server nodes. An authenticated gluster client via TLS could use gluster cli with --remote-host command to add it self to trusted storage pool and perform privileged gluster operations like adding other machines to trusted storage pool, start, stop, and delete volumes. glusterfs es vulnerable a un escalado de privilegios en los nodos del servidor gluster. Un cliente gluster autenticado mediante TLS podría emplear la interfaz de línea de comandos de gluster con el comando --remote-host para añadirse a sí mismo al pool de almacenamiento fiable y realizar operaciones gluster privilegiadas, como la adición de otras máquinas al pool de almacenamiento fiable, iniciar, detener y eliminar volúmenes. A flaw was found in glusterfs which can lead to privilege escalation on gluster server nodes. An authenticated gluster client via TLS could use gluster cli with --remote-host command to add it self to trusted storage pool and perform privileged gluster operations like adding other machines to trusted storage pool, start, stop, and delete volumes. • https://access.redhat.com/errata/RHSA-2018:1954 https://access.redhat.com/errata/RHSA-2018:1955 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10841 https://lists.debian.org/debian-lts-announce/2021/11/msg00000.html https://review.gluster.org/#/c/20328 https://security.gentoo.org/glsa/201904-06 https://access.redhat.com/security/cve/CVE-2018-10841 https://bugzilla.redhat.com/show_bug.cgi?id=1582043 • CWE-287: Improper Authentication CWE-288: Authentication Bypass Using an Alternate Path or Channel •

CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0

glusterfs server before versions 3.10.12, 4.0.2 is vulnerable when using 'auth.allow' option which allows any unauthenticated gluster client to connect from any network to mount gluster storage volumes. NOTE: this vulnerability exists because of a CVE-2018-1088 regression. El servidor glusterfs 3.10.12 y 4.0.2 es vulnerable cuando se emplea la opción "auth.allow", que permite que cualquier cliente de gluster no autenticado se conecte desde cualquier red para montar volúmenes de almacenamiento de gluster. NOTA: esta vulnerabilidad existe debido a una regresión de CVE-2018-1088 It was found that fix for CVE-2018-1088 introduced a new vulnerability in the way 'auth.allow' is implemented in glusterfs server. An unauthenticated gluster client could mount gluster storage volumes. • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00035.html https://access.redhat.com/articles/3422521 https://access.redhat.com/errata/RHSA-2018:1268 https://access.redhat.com/errata/RHSA-2018:1269 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1112 https://review.gluster.org/#/c/19899/1..2 https://access.redhat.com/security/cve/CVE-2018-1112 https://bugzilla.redhat.com/show_bug.cgi?id=1570891 • CWE-287: Improper Authentication •

CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0

A flaw was found in GlusterFS in versions prior to 3.10. A null pointer dereference in send_brick_req function in glusterfsd/src/gf_attach.c may be used to cause denial of service. Se ha encontrado un fallo en versiones anteriores a la 3.10 de GlusterFS. Una desreferencia de puntero NULL en la función send_brick_req en glusterfsd/src/gf_attach.c podría emplearse para provocar una denegación de servicio (DoS). • https://bugzilla.redhat.com/show_bug.cgi?id=1504255 • CWE-476: NULL Pointer Dereference •

CVSS: 5.0EPSS: 1%CPEs: 2EXPL: 0

The __socket_proto_state_machine function in GlusterFS 3.5 allows remote attackers to cause a denial of service (infinite loop) via a "00000000" fragment header. La función __socket_proto_state_machine en GlusterFS 3.5 permite a atacantes remotos causar una denegación de servicio (bucle infinito) a través de una cabecera de fragmento '00000000'. • http://advisories.mageia.org/MGASA-2015-0145.html http://lists.opensuse.org/opensuse-updates/2015-03/msg00031.html http://lists.opensuse.org/opensuse-updates/2015-03/msg00056.html http://review.gluster.org/#/c/8662/4 http://www.mandriva.com/security/advisories?name=MDVSA-2015:211 https://bugzilla.redhat.com/show_bug.cgi?id=1138145 • CWE-399: Resource Management Errors •

CVSS: 3.6EPSS: 0%CPEs: 1EXPL: 0

GlusterFS 3.3.0, as used in Red Hat Storage server 2.0, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names. GlusterFS v3.3.0, como se usa en Red Hat Storage v2.0, permite a usuarios locales sobreescribir archivos arbitrarios mediante un ataque de enlaces simbólicos en los archivos temporales con nombres predecibles. • http://rhn.redhat.com/errata/RHSA-2012-1456.html http://www.securityfocus.com/bid/56522 http://www.securitytracker.com/id?1027756 https://bugzilla.redhat.com/show_bug.cgi?id=856341 https://exchange.xforce.ibmcloud.com/vulnerabilities/80074 https://access.redhat.com/security/cve/CVE-2012-4417 • CWE-264: Permissions, Privileges, and Access Controls CWE-377: Insecure Temporary File •