CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 0CVE-2018-14651 – glusterfs: glusterfs server exploitable via symlinks to relative paths
https://notcve.org/view.php?id=CVE-2018-14651
It was found that the fix for CVE-2018-10927, CVE-2018-10928, CVE-2018-10929, CVE-2018-10930, and CVE-2018-10926 was incomplete. A remote, authenticated attacker could use one of these flaws to execute arbitrary code, create arbitrary files, or cause denial of service on glusterfs server nodes via symlinks to relative paths. Se ha descubierto que la solución para CVE-2018-10927, CVE-2018-10928, CVE-2018-10929, CVE-2018-10930 y CVE-2018-10926 estaba incompleta. Un atacante autenticado remoto podría emplear uno de estos errores para ejecutar código arbitrario, crear archivos arbitrarios o provocar una denegación de servicio en los nodos del servidor glusterfs mediante vínculos simbólicos a rutas relativas. • https://access.redhat.com/errata/RHSA-2018:3431 https://access.redhat.com/errata/RHSA-2018:3432 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14651 https://lists.debian.org/debian-lts-announce/2018/11/msg00003.html https://security.gentoo.org/glsa/201904-06 https://access.redhat.com/security/cve/CVE-2018-14651 https://bugzilla.redhat.com/show_bug.cgi?id=1632557 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 6.5EPSS: 0%CPEs: 9EXPL: 0CVE-2018-14660 – glusterfs: Repeat use of "GF_META_LOCK_KEY" xattr allows for memory exhaustion
https://notcve.org/view.php?id=CVE-2018-14660
A flaw was found in glusterfs server through versions 4.1.4 and 3.1.2 which allowed repeated usage of GF_META_LOCK_KEY xattr. A remote, authenticated attacker could use this flaw to create multiple locks for single inode by using setxattr repetitively resulting in memory exhaustion of glusterfs server node. Se ha encontrado un error en el servidor glusterfs hasta las versiones 4.1.4 y 3.1.2 que permitía el uso repetido del xattr GF_META_LOCK_KEY. Un atacante autenticado remoto podría emplear este error para crear múltiples bloqueos para un único inode mediante el uso repetido de setxattr, lo que resulta en el agotamiento de la memoria del nodo del servidor glusterfs. A flaw was found in glusterfs server which allowed repeated usage of GF_META_LOCK_KEY xattr. • https://access.redhat.com/errata/RHSA-2018:3431 https://access.redhat.com/errata/RHSA-2018:3432 https://access.redhat.com/errata/RHSA-2018:3470 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14660 https://lists.debian.org/debian-lts-announce/2021/11/msg00000.html https://security.gentoo.org/glsa/201904-06 https://access.redhat.com/security/cve/CVE-2018-14660 https://bugzilla.redhat.com/show_bug.cgi?id=1635926 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2018-10924
https://notcve.org/view.php?id=CVE-2018-10924
It was discovered that fsync(2) system call in glusterfs client code leaks memory. An authenticated attacker could use this flaw to launch a denial of service attack by making gluster clients consume memory of the host machine. Se ha descubierto que la llamada del sistema fsync(2) en el código del cliente glusterfs filtra memoria. Un atacante autenticado podría empelar este error para lanzar un ataque de denegación de servicio (DoS) haciendo que los clientes gluster consuman la memoria de la máquina host. • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00035.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10924 https://review.gluster.org/#/c/glusterfs/+/20723 https://security.gentoo.org/glsa/201904-06 • CWE-400: Uncontrolled Resource Consumption CWE-772: Missing Release of Resource after Effective Lifetime •
CVSS: 8.1EPSS: 0%CPEs: 8EXPL: 0CVE-2018-10923 – glusterfs: I/O to arbitrary devices on storage server
https://notcve.org/view.php?id=CVE-2018-10923
It was found that the "mknod" call derived from mknod(2) can create files pointing to devices on a glusterfs server node. An authenticated attacker could use this to create an arbitrary device and read data from any device attached to the glusterfs server node. Se ha detectado que la llamada "mknod" derivada de mknod(2) puede crear archivos que señalan a dispositivos en un nodo del servidor glusterfs. Un atacante autenticado podría emplearlo para crear un dispositivo arbitrario y leer datos desde cualquier dispositivo conectado al nodo del servidor glusterfs. • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00035.html https://access.redhat.com/errata/RHSA-2018:2607 https://access.redhat.com/errata/RHSA-2018:2608 https://access.redhat.com/errata/RHSA-2018:3470 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10923 https://lists.debian.org/debian-lts-announce/2018/09/msg00021.html https://lists.debian.org/debian-lts-announce/2021/11/msg00000.html https://security.gentoo.org/glsa/201904-06 https://access.redhat.c • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 0%CPEs: 10EXPL: 0CVE-2018-10926 – glusterfs: Device files can be created in arbitrary locations
https://notcve.org/view.php?id=CVE-2018-10926
A flaw was found in RPC request using gfs3_mknod_req supported by glusterfs server. An authenticated attacker could use this flaw to write files to an arbitrary location via path traversal and execute arbitrary code on a glusterfs server node. Se ha detectado un error en las peticiones RPC que emplean gfs3_mknod_req soportadas por el servidor glusterfs. Un atacante autenticado podría emplear este error para escribir archivos en una ubicación arbitraria mediante un salto de directorio y ejecutar código arbitrario en un nodo del servidor glusterfs. • http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00035.html https://access.redhat.com/errata/RHSA-2018:2607 https://access.redhat.com/errata/RHSA-2018:2608 https://access.redhat.com/errata/RHSA-2018:3470 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10926 https://lists.debian.org/debian-lts-announce/2018/09/msg00021.html https://lists.debian.org/debian-lts-announce/2021/11/msg00000.html https://security.gentoo.org/glsa/201904-06 https://access.redhat.c • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •