Your submission was sent successfully! Close

CVE-2018-14654

Published: 31 October 2018

The Gluster file system through version 4.1.4 is vulnerable to abuse of the 'features/index' translator. A remote attacker with access to mount volumes could exploit this via the 'GF_XATTROP_ENTRY_IN_KEY' xattrop to create arbitrary, empty files on the target server.

From the Ubuntu security team

It was discovered that GlusterFS incorrectly handled mount volumes operation. A remote attacker could possibly use this issue to create arbitrary files.

Priority

Medium

CVSS 3 base score: 6.5

Status

Package Release Status
glusterfs
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.10 (Impish Indri) Not vulnerable
(4.1.4-1)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(4.1.4-1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(4.1.4-1)
Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(code not present)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(code not present)