CVE-2018-1088: A privilege escalation flaw was found in gluster 3.x snapshot scheduler. Any gluster client allowed to mount gluster volumes could also mount shared gluster…

high8.1CVSS 3.0

AVNACHPRNUINSUCHIHAH

A privilege escalation flaw was found in gluster 3.x snapshot scheduler. Any gluster client allowed to mount gluster volumes could also mount shared gluster storage volume and escalate privileges by scheduling malicious cronjob via symlink.

Affected

18 ranges

Vendor	Product	Version range	Fixed in
debian	debian_linux	—	—
debian	glusterfs	< glusterfs 4.0.2-1 (bookworm)	glusterfs 4.0.2-1 (bookworm)
debian	glusterfs	—	—
gluster	glusterfs	< 3.10.12	3.10.12
gluster	glusterfs	—	—
gluster	glusterfs	>= 0 < 4.0.2-1	4.0.2-1
gluster	glusterfs	>= 0 < 4.0.2-1	4.0.2-1
gluster	glusterfs	>= 0 < 4.0.2-1	4.0.2-1
gluster	glusterfs	>= 0 < 4.0.2-1	4.0.2-1
gluster	glusterfs	>= 0 < 3.4.2-1ubuntu1+esm1	3.4.2-1ubuntu1+esm1
gluster	glusterfs	>= 0 < 3.7.6-1ubuntu1+esm1	3.7.6-1ubuntu1+esm1
gluster	glusterfs	>= 0 < 3.13.2-1ubuntu1+esm1	3.13.2-1ubuntu1+esm1
opensuse	leap	—	—
redhat	enterprise_linux_server	—	—
redhat	enterprise_linux_server	—	—
redhat	gluster_storage	3.0 – 3.13.2	—
redhat	virtualization	—	—
redhat	virtualization_host	—	—

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

osv8.1HIGH