Product:

Glusterfs

(Gluster)
Repositories

Unknown:

This might be proprietary software.

#Vulnerabilities 21
Date Id Summary Products Score Patch Annotated
2018-09-04 CVE-2018-10904 It was found that glusterfs server does not properly sanitize file paths in the "trusted.io-stats-dump" extended attribute which is used by the "debug/io-stats" translator. Attacker can use this flaw to create files and execute arbitrary code. To exploit this attacker would require sufficient access to modify the extended attributes of files on a gluster volume. Debian_linux, Glusterfs, Enterprise_linux_server, Virtualization_host 8.8
2018-09-04 CVE-2018-10907 It was found that glusterfs server is vulnerable to multiple stack based buffer overflows due to functions in server-rpc-fopc.c allocating fixed size buffers using 'alloca(3)'. An authenticated attacker could exploit this by mounting a gluster volume and sending a string longer that the fixed buffer size to cause crash or potential code execution. Debian_linux, Glusterfs, Leap, Enterprise_linux_server, Virtualization_host 8.8
2018-04-25 CVE-2018-1112 glusterfs server before versions 3.10.12, 4.0.2 is vulnerable when using 'auth.allow' option which allows any unauthenticated gluster client to connect from any network to mount gluster storage volumes. NOTE: this vulnerability exists because of a CVE-2018-1088 regression. Glusterfs 8.8
2018-10-31 CVE-2018-14661 It was found that usage of snprintf function in feature/locks translator of glusterfs server 3.8.4, as shipped with Red Hat Gluster Storage, was vulnerable to a format string attack. A remote, authenticated attacker could use this flaw to cause remote denial of service. Glusterfs 6.5
2018-10-31 CVE-2018-14651 It was found that the fix for CVE-2018-10927, CVE-2018-10928, CVE-2018-10929, CVE-2018-10930, and CVE-2018-10926 was incomplete. A remote, authenticated attacker could use one of these flaws to execute arbitrary code, create arbitrary files, or cause denial of service on glusterfs server nodes via symlinks to relative paths. Debian_linux, Glusterfs, Enterprise_linux 8.8
2018-09-04 CVE-2018-10924 It was discovered that fsync(2) system call in glusterfs client code leaks memory. An authenticated attacker could use this flaw to launch a denial of service attack by making gluster clients consume memory of the host machine. Glusterfs 6.5
2018-06-20 CVE-2018-10841 glusterfs is vulnerable to privilege escalation on gluster server nodes. An authenticated gluster client via TLS could use gluster cli with --remote-host command to add it self to trusted storage pool and perform privileged gluster operations like adding other machines to trusted storage pool, start, stop, and delete volumes. Glusterfs 8.8
2017-10-26 CVE-2017-15096 A flaw was found in GlusterFS in versions prior to 3.10. A null pointer dereference in send_brick_req function in glusterfsd/src/gf_attach.c may be used to cause denial of service. Glusterfs 3.3
2015-03-27 CVE-2014-3619 The __socket_proto_state_machine function in GlusterFS 3.5 allows remote attackers to cause a denial of service (infinite loop) via a "00000000" fragment header. Glusterfs, Opensuse N/A
2013-04-09 CVE-2012-5635 The GlusterFS functionality in Red Hat Storage Management Console 2.0, Native Client, and Server 2.0 allows local users to overwrite arbitrary files via a symlink attack on multiple temporary files created by (1) tests/volume.rc, (2) extras/hook-scripts/S30samba-stop.sh, and possibly other vectors, different vulnerabilities than CVE-2012-4417. Glusterfs, Storage_management_console, Storage_native_client, Storage_server N/A