CVE-2018-14660
glusterfs: Repeat use of "GF_META_LOCK_KEY" xattr allows for memory exhaustion
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A flaw was found in glusterfs server through versions 4.1.4 and 3.1.2 which allowed repeated usage of GF_META_LOCK_KEY xattr. A remote, authenticated attacker could use this flaw to create multiple locks for single inode by using setxattr repetitively resulting in memory exhaustion of glusterfs server node.
Se ha encontrado un error en el servidor glusterfs hasta las versiones 4.1.4 y 3.1.2 que permitía el uso repetido del xattr GF_META_LOCK_KEY. Un atacante autenticado remoto podría emplear este error para crear múltiples bloqueos para un único inode mediante el uso repetido de setxattr, lo que resulta en el agotamiento de la memoria del nodo del servidor glusterfs.
A flaw was found in glusterfs server which allowed repeated usage of GF_META_LOCK_KEY xattr. A remote, authenticated attacker could use this flaw to create multiple locks for single inode by using setxattr repetitively resulting in memory exhaustion of glusterfs server node.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2018-07-27 CVE Reserved
- 2018-10-31 CVE Published
- 2024-08-05 CVE Updated
- 2024-08-16 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-400: Uncontrolled Resource Consumption
- CWE-770: Allocation of Resources Without Limits or Throttling
CAPEC
References (8)
URL | Tag | Source |
---|---|---|
https://lists.debian.org/debian-lts-announce/2021/11/msg00000.html | Mailing List |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://access.redhat.com/errata/RHSA-2018:3431 | 2023-02-13 | |
https://access.redhat.com/errata/RHSA-2018:3432 | 2023-02-13 | |
https://access.redhat.com/errata/RHSA-2018:3470 | 2023-02-13 | |
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14660 | 2023-02-13 | |
https://security.gentoo.org/glsa/201904-06 | 2023-02-13 | |
https://access.redhat.com/security/cve/CVE-2018-14660 | 2018-11-05 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1635926 | 2018-11-05 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Redhat Search vendor "Redhat" | Virtualization Search vendor "Redhat" for product "Virtualization" | 4.0 Search vendor "Redhat" for product "Virtualization" and version "4.0" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 7.0 Search vendor "Redhat" for product "Enterprise Linux" and version "7.0" | - |
Safe
|
Redhat Search vendor "Redhat" | Virtualization Host Search vendor "Redhat" for product "Virtualization Host" | 4.0 Search vendor "Redhat" for product "Virtualization Host" and version "4.0" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 7.0 Search vendor "Redhat" for product "Enterprise Linux" and version "7.0" | - |
Safe
|
Gluster Search vendor "Gluster" | Glusterfs Search vendor "Gluster" for product "Glusterfs" | >= 3.1.0 <= 3.1.2 Search vendor "Gluster" for product "Glusterfs" and version " >= 3.1.0 <= 3.1.2" | - |
Affected
| ||||||
Gluster Search vendor "Gluster" | Glusterfs Search vendor "Gluster" for product "Glusterfs" | >= 4.1.0 <= 4.1.4 Search vendor "Gluster" for product "Glusterfs" and version " >= 4.1.0 <= 4.1.4" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Virtualization Host Search vendor "Redhat" for product "Virtualization Host" | 4.0 Search vendor "Redhat" for product "Virtualization Host" and version "4.0" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server" | 6.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "6.0" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server" | 7.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "7.0" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
|