CVE-2018-10928

high

Description

A flaw was found in RPC request using gfs3_symlink_req in glusterfs server which allows symlink destinations to point to file paths outside of the gluster volume. An authenticated attacker could use this flaw to create arbitrary symlinks pointing anywhere on the server and execute arbitrary code on glusterfs server nodes.

References

Advisories

https://security.gentoo.org/glsa/201904-06

https://lists.debian.org/debian-lts-announce/2021/11/msg00000.html

https://lists.debian.org/debian-lts-announce/2018/09/msg00021.html

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10928

https://access.redhat.com/errata/RHSA-2018:3470

https://access.redhat.com/errata/RHSA-2018:2608

https://access.redhat.com/errata/RHSA-2018:2607

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00035.html

Details

Source: Mitre, NVD

Published: 2018-09-04

Updated: 2024-11-21

Risk Information

CVSS v2

Base Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High

EPSS

EPSS: 0.0133