CVE-2018-1112
Published: 25 April 2018
glusterfs server before versions 3.10.12, 4.0.2 is vulnerable when using 'auth.allow' option which allows any unauthenticated gluster client to connect from any network to mount gluster storage volumes. NOTE: this vulnerability exists because of a CVE-2018-1088 regression.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
glusterfs Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
| bionic |
Not vulnerable
(3.13.2-1ubuntu1+esm1)
|
|
| cosmic |
Not vulnerable
(4.0.2-1)
|
|
| disco |
Not vulnerable
(4.0.2-1)
|
|
| eoan |
Not vulnerable
(4.0.2-1)
|
|
| focal |
Not vulnerable
(4.0.2-1)
|
|
| groovy |
Not vulnerable
(4.0.2-1)
|
|
| hirsute |
Not vulnerable
(4.0.2-1)
|
|
| impish |
Not vulnerable
(4.0.2-1)
|
|
| jammy |
Not vulnerable
(4.0.2-1)
|
|
| kinetic |
Not vulnerable
(4.0.2-1)
|
|
| lunar |
Not vulnerable
(4.0.2-1)
|
|
| trusty |
Not vulnerable
(code not present)
|
|
| upstream |
Needs triage
|
|
| xenial |
Not vulnerable
(3.7.6-1ubuntu1+esm1)
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 8.8 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |