CVE-2018-10926Improper Input Validation in Glusterfs

CWE-20Improper Input ValidationCWE-22Path TraversalCWE-59Link Following11 documents8 sources
Severity
8.8HIGHNVD
EPSS
1.4%
top 19.59%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
Gluster GlusterfsRED HAT GlusterfsDebian Linux+4 more
Timeline
PublishedSep 4
Latest updateMay 13

Description

A flaw was found in RPC request using gfs3_mknod_req supported by glusterfs server. An authenticated attacker could use this flaw to write files to an arbitrary location via path traversal and execute arbitrary code on a glusterfs server node.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages6 packages

NVDgluster/glusterfs3.123.12.14+1
Debiangluster/glusterfs< 4.1.4-1+3
CVEListV5red_hat/glusterfsn/a
NVDopensuse/leap15.1

Also affects: Debian Linux 8.0, 9.0, Enterprise Linux 6.0, 7.0

🔴Vulnerability Details

3
GHSA
GHSA-pjmw-qwj2-f9fg: A flaw was found in RPC request using gfs3_mknod_req supported by glusterfs server2022-05-13
CVEList
CVE-2018-10926: A flaw was found in RPC request using gfs3_mknod_req supported by glusterfs server2018-09-04
OSV
CVE-2018-10926: A flaw was found in RPC request using gfs3_mknod_req supported by glusterfs server2018-09-04

📋Vendor Advisories

4
Ubuntu
GlusterFS vulnerabilities2021-03-15
Red Hat
glusterfs: glusterfs server exploitable via symlinks to relative paths2018-10-31
Red Hat
glusterfs: Device files can be created in arbitrary locations2018-09-04
Debian
CVE-2018-10926: glusterfs - A flaw was found in RPC request using gfs3_mknod_req supported by glusterfs serv...2018

💬Community

3
Bugzilla
CVE-2018-14651 glusterfs: glusterfs server exploitable via symlinks to relative paths2018-09-25
Bugzilla
CVE-2018-10926 glusterfs: Device files can be created in arbitrary locations [fedora-all]2018-09-04
Bugzilla
CVE-2018-10926 glusterfs: Device files can be created in arbitrary locations2018-08-07
CVE-2018-10926 — Improper Input Validation in Glusterfs | cvebase