CVE-2018-1112 — Improper Authentication in Glusterfs

CWE-287 — Improper Authentication11 documents8 sources

Severity

8.8HIGHNVD

CNA8.1OSV8.1

EPSS

2.0%

top 16.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gluster Glusterfs

Timeline

PublishedApr 25

Latest updateMay 13

Description

glusterfs server before versions 3.10.12, 4.0.2 is vulnerable when using 'auth.allow' option which allows any unauthenticated gluster client to connect from any network to mount gluster storage volumes. NOTE: this vulnerability exists because of a CVE-2018-1088 regression.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDgluster/glusterfs< 3.10.12+1

▶Ubuntugluster/glusterfs< 3.7.6-1ubuntu1+esm1+1

🔴Vulnerability Details

GHSA

GHSA-g75c-rwx3-m2xp: glusterfs server before versions 3↗2022-05-13

▶

OSV

CVE-2018-1112: glusterfs server before versions 3↗2018-04-25

▶

CVEList

CVE-2018-1112: glusterfs server before versions 3↗2018-04-25

▶

💥Exploits & PoCs

Exploit-DB

CloudMe 1.11.2 - Buffer Overflow ROP (DEP_ASLR)↗2020-09-29

▶

Exploit-DB

CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass)↗2019-01-28

▶

Exploit-DB

CloudMe Sync 1.11.2 - Buffer Overflow + Egghunt↗2019-01-22

▶

📋Vendor Advisories

Red Hat

glusterfs: auth.allow allows unauthenticated clients to mount gluster volumes (CVE-2018-1088 regression)↗2018-04-19

▶

Debian

CVE-2018-1112: glusterfs - glusterfs server before versions 3.10.12, 4.0.2 is vulnerable when using 'auth.a...↗2018

▶

💬Community

Bugzilla

CVE-2018-1112 glusterfs: auth.allow allows unauthenticated clients to mount gluster volumes (CVE-2018-1088 regression) [fedora-all]↗2018-04-24

▶

Bugzilla

CVE-2018-1112 glusterfs: auth.allow allows unauthenticated clients to mount gluster volumes (CVE-2018-1088 regression)↗2018-04-23

▶