A flaw was found in RPC request using gfs3_symlink_req in glusterfs server which allows symlink destinations to point to file paths outside of the gluster volume. An authenticated attacker could use this flaw to create arbitrary symlinks pointing anywhere on the server and execute arbitrary code on glusterfs server nodes.
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00035.html
https://access.redhat.com/errata/RHSA-2018:2607
https://access.redhat.com/errata/RHSA-2018:2608
https://access.redhat.com/errata/RHSA-2018:3470
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10928
https://lists.debian.org/debian-lts-announce/2018/09/msg00021.html
Source: MITRE
Published: 2018-09-04
Updated: 2020-10-15
Type: CWE-59
Base Score: 6.5
Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P
Impact Score: 6.4
Exploitability Score: 8
Severity: MEDIUM
Base Score: 8.8
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Impact Score: 5.9
Exploitability Score: 2.8
Severity: HIGH
OR
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
OR
OR
ID | Name | Product | Family | Severity |
---|---|---|---|---|
142286 | EulerOS 2.0 SP2 : glusterfs (EulerOS-SA-2020-2347) | Nessus | Huawei Local Security Checks | medium |
141768 | EulerOS Virtualization 3.0.2.2 : glusterfs (EulerOS-SA-2020-2187) | Nessus | Huawei Local Security Checks | medium |
140886 | EulerOS 2.0 SP3 : glusterfs (EulerOS-SA-2020-2119) | Nessus | Huawei Local Security Checks | medium |
137939 | EulerOS Virtualization 3.0.6.0 : glusterfs (EulerOS-SA-2020-1720) | Nessus | Huawei Local Security Checks | medium |
136228 | EulerOS Virtualization for ARM 64 3.0.2.0 : glusterfs (EulerOS-SA-2020-1525) | Nessus | Huawei Local Security Checks | medium |
133904 | EulerOS 2.0 SP5 : glusterfs (EulerOS-SA-2020-1103) | Nessus | Huawei Local Security Checks | medium |
133132 | openSUSE Security Update : glusterfs (openSUSE-2020-79) | Nessus | SuSE Local Security Checks | high |
123580 | GLSA-201904-06 : GlusterFS: Multiple Vulnerabilities | Nessus | Gentoo Local Security Checks | high |
120672 | Fedora 29 : glusterfs (2018-a54270a213) | Nessus | Fedora Local Security Checks | medium |
120410 | Fedora 28 : glusterfs (2018-4e660226e7) | Nessus | Fedora Local Security Checks | medium |
118982 | CentOS 7 : glusterfs (CESA-2018:2607) | Nessus | CentOS Local Security Checks | medium |
118790 | RHEL 7 : Virtualization Manager (RHSA-2018:3470) | Nessus | Red Hat Local Security Checks | high |
117841 | Fedora 27 : glusterfs (2018-9a4d7ec61e) | Nessus | Fedora Local Security Checks | medium |
117618 | Debian DLA-1510-1 : glusterfs security update | Nessus | Debian Local Security Checks | medium |
117318 | RHEL 6 : Gluster Storage (RHSA-2018:2608) (deprecated) | Nessus | Red Hat Local Security Checks | medium |
117317 | RHEL 7 : Gluster Storage (RHSA-2018:2607) | Nessus | Red Hat Local Security Checks | medium |