CVE-2018-10928

MEDIUM

Description

A flaw was found in RPC request using gfs3_symlink_req in glusterfs server which allows symlink destinations to point to file paths outside of the gluster volume. An authenticated attacker could use this flaw to create arbitrary symlinks pointing anywhere on the server and execute arbitrary code on glusterfs server nodes.

References

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00035.html

https://access.redhat.com/errata/RHSA-2018:2607

https://access.redhat.com/errata/RHSA-2018:2608

https://access.redhat.com/errata/RHSA-2018:3470

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10928

https://lists.debian.org/debian-lts-announce/2018/09/msg00021.html

https://security.gentoo.org/glsa/201904-06

Details

Source: MITRE

Published: 2018-09-04

Updated: 2020-10-15

Type: CWE-59

Risk Information

CVSS v2.0

Base Score: 6.5

Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 8

Severity: MEDIUM

CVSS v3.0

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 2.8

Severity: HIGH

Vulnerable Software

Configuration 1

OR

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:a:gluster:glusterfs:*:*:*:*:*:*:*:*

cpe:2.3:a:gluster:glusterfs:*:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:a:redhat:gluster_storage:3.0:*:*:*:*:*:*:*

cpe:2.3:a:redhat:virtualization_host:4.0:*:*:*:*:*:*:*

Tenable Plugins

View all (16 total)

IDNameProductFamilySeverity
142286EulerOS 2.0 SP2 : glusterfs (EulerOS-SA-2020-2347)NessusHuawei Local Security Checks
medium
141768EulerOS Virtualization 3.0.2.2 : glusterfs (EulerOS-SA-2020-2187)NessusHuawei Local Security Checks
medium
140886EulerOS 2.0 SP3 : glusterfs (EulerOS-SA-2020-2119)NessusHuawei Local Security Checks
medium
137939EulerOS Virtualization 3.0.6.0 : glusterfs (EulerOS-SA-2020-1720)NessusHuawei Local Security Checks
medium
136228EulerOS Virtualization for ARM 64 3.0.2.0 : glusterfs (EulerOS-SA-2020-1525)NessusHuawei Local Security Checks
medium
133904EulerOS 2.0 SP5 : glusterfs (EulerOS-SA-2020-1103)NessusHuawei Local Security Checks
medium
133132openSUSE Security Update : glusterfs (openSUSE-2020-79)NessusSuSE Local Security Checks
high
123580GLSA-201904-06 : GlusterFS: Multiple VulnerabilitiesNessusGentoo Local Security Checks
high
120672Fedora 29 : glusterfs (2018-a54270a213)NessusFedora Local Security Checks
medium
120410Fedora 28 : glusterfs (2018-4e660226e7)NessusFedora Local Security Checks
medium
118982CentOS 7 : glusterfs (CESA-2018:2607)NessusCentOS Local Security Checks
medium
118790RHEL 7 : Virtualization Manager (RHSA-2018:3470)NessusRed Hat Local Security Checks
high
117841Fedora 27 : glusterfs (2018-9a4d7ec61e)NessusFedora Local Security Checks
medium
117618Debian DLA-1510-1 : glusterfs security updateNessusDebian Local Security Checks
medium
117318RHEL 6 : Gluster Storage (RHSA-2018:2608) (deprecated)NessusRed Hat Local Security Checks
medium
117317RHEL 7 : Gluster Storage (RHSA-2018:2607)NessusRed Hat Local Security Checks
medium