CVSS: 6.5EPSS: 1%CPEs: 9EXPL: 0CVE-2018-14660 – glusterfs: Repeat use of "GF_META_LOCK_KEY" xattr allows for memory exhaustion
https://notcve.org/view.php?id=CVE-2018-14660
31 Oct 2018 — A flaw was found in glusterfs server through versions 4.1.4 and 3.1.2 which allowed repeated usage of GF_META_LOCK_KEY xattr. A remote, authenticated attacker could use this flaw to create multiple locks for single inode by using setxattr repetitively resulting in memory exhaustion of glusterfs server node. Se ha encontrado un error en el servidor glusterfs hasta las versiones 4.1.4 y 3.1.2 que permitía el uso repetido del xattr GF_META_LOCK_KEY. Un atacante autenticado remoto podría emplear este error para... • https://access.redhat.com/errata/RHSA-2018:3431 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.5EPSS: 3%CPEs: 8EXPL: 0CVE-2018-14661 – glusterfs: features/locks translator passes an user-controlled string to snprintf without a proper format string resulting in a denial of service
https://notcve.org/view.php?id=CVE-2018-14661
31 Oct 2018 — It was found that usage of snprintf function in feature/locks translator of glusterfs server 3.8.4, as shipped with Red Hat Gluster Storage, was vulnerable to a format string attack. A remote, authenticated attacker could use this flaw to cause remote denial of service. Se ha detectado que el uso de la función snprintf en el traductor feature/locks del servidor glusterfs 3.8.4, tal y como se distribuye con Red Hat Gluster Storage, era vulnerable a un ataque de cadena de formato. Un atacante remoto autentica... • https://access.redhat.com/errata/RHSA-2018:3431 • CWE-20: Improper Input Validation CWE-134: Use of Externally-Controlled Format String •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2018-10841 – glusterfs: access trusted peer group via remote-host command
https://notcve.org/view.php?id=CVE-2018-10841
20 Jun 2018 — glusterfs is vulnerable to privilege escalation on gluster server nodes. An authenticated gluster client via TLS could use gluster cli with --remote-host command to add it self to trusted storage pool and perform privileged gluster operations like adding other machines to trusted storage pool, start, stop, and delete volumes. glusterfs es vulnerable a un escalado de privilegios en los nodos del servidor gluster. Un cliente gluster autenticado mediante TLS podría emplear la interfaz de línea de comandos de g... • https://access.redhat.com/errata/RHSA-2018:1954 • CWE-287: Improper Authentication CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 8.8EPSS: 3%CPEs: 2EXPL: 0CVE-2018-1112 – glusterfs: auth.allow allows unauthenticated clients to mount gluster volumes (CVE-2018-1088 regression)
https://notcve.org/view.php?id=CVE-2018-1112
25 Apr 2018 — glusterfs server before versions 3.10.12, 4.0.2 is vulnerable when using 'auth.allow' option which allows any unauthenticated gluster client to connect from any network to mount gluster storage volumes. NOTE: this vulnerability exists because of a CVE-2018-1088 regression. El servidor glusterfs 3.10.12 y 4.0.2 es vulnerable cuando se emplea la opción "auth.allow", que permite que cualquier cliente de gluster no autenticado se conecte desde cualquier red para montar volúmenes de almacenamiento de gluster. NO... • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00035.html • CWE-287: Improper Authentication •
CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0CVE-2017-15096
https://notcve.org/view.php?id=CVE-2017-15096
26 Oct 2017 — A flaw was found in GlusterFS in versions prior to 3.10. A null pointer dereference in send_brick_req function in glusterfsd/src/gf_attach.c may be used to cause denial of service. Se ha encontrado un fallo en versiones anteriores a la 3.10 de GlusterFS. Una desreferencia de puntero NULL en la función send_brick_req en glusterfsd/src/gf_attach.c podría emplearse para provocar una denegación de servicio (DoS). • https://bugzilla.redhat.com/show_bug.cgi?id=1504255 • CWE-476: NULL Pointer Dereference •
CVSS: 7.5EPSS: 2%CPEs: 2EXPL: 0CVE-2014-3619 – Mandriva Linux Security Advisory 2015-211
https://notcve.org/view.php?id=CVE-2014-3619
27 Mar 2015 — The __socket_proto_state_machine function in GlusterFS 3.5 allows remote attackers to cause a denial of service (infinite loop) via a "00000000" fragment header. La función __socket_proto_state_machine en GlusterFS 3.5 permite a atacantes remotos causar una denegación de servicio (bucle infinito) a través de una cabecera de fragmento '00000000'. glusterfs was vulnerable to a fragment header infinite loop denial of service attack. Also, the glusterfsd SysV init script was failing to properly start the servic... • http://advisories.mageia.org/MGASA-2015-0145.html • CWE-399: Resource Management Errors •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2012-4417 – GlusterFS: insecure temporary file creation
https://notcve.org/view.php?id=CVE-2012-4417
18 Nov 2012 — GlusterFS 3.3.0, as used in Red Hat Storage server 2.0, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names. GlusterFS v3.3.0, como se usa en Red Hat Storage v2.0, permite a usuarios locales sobreescribir archivos arbitrarios mediante un ataque de enlaces simbólicos en los archivos temporales con nombres predecibles. • http://rhn.redhat.com/errata/RHSA-2012-1456.html • CWE-264: Permissions, Privileges, and Access Controls CWE-377: Insecure Temporary File •