CVE-2018-10926
Published: 4 September 2018
A flaw was found in RPC request using gfs3_mknod_req supported by glusterfs server. An authenticated attacker could use this flaw to write files to an arbitrary location via path traversal and execute arbitrary code on a glusterfs server node.
From the Ubuntu Security Team
It was discovered that GlusterFS incorrectly handled RPC requests. An attacker could possibly use this issue to write iles to an arbitrary location and execute arbitrary code.
Priority
Status
Package | Release | Status |
---|---|---|
glusterfs Launchpad, Ubuntu, Debian |
bionic |
Released
(3.13.2-1ubuntu1+esm1)
Available with Ubuntu Pro |
cosmic |
Ignored
(end of life)
|
|
disco |
Not vulnerable
(4.1.4-1)
|
|
eoan |
Not vulnerable
(4.1.4-1)
|
|
focal |
Not vulnerable
(4.1.4-1)
|
|
groovy |
Not vulnerable
(4.1.4-1)
|
|
hirsute |
Not vulnerable
(4.1.4-1)
|
|
impish |
Not vulnerable
(4.1.4-1)
|
|
jammy |
Not vulnerable
(4.1.4-1)
|
|
kinetic |
Not vulnerable
(4.1.4-1)
|
|
lunar |
Not vulnerable
(4.1.4-1)
|
|
trusty |
Released
(3.4.2-1ubuntu1+esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
upstream |
Needs triage
|
|
xenial |
Released
(3.7.6-1ubuntu1+esm1)
Available with Ubuntu Pro |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 8.8 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | Low |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |