EUVD-2018-11757

Malware in sbrugna...

CVE-2018-1088

A privilege escalation flaw was found in gluster snapshot scheduler. Any gluster client allowed to mount gluster volumes could also mount shared gluster storage volume and escalate privileges by scheduling malicious cronjob via symlink. Mitigation To limit exposure of gluster server nodes : 1...

CVE-2018-10930

A flaw was found in RPC request using gfs3renamereq in glusterfs server. An authenticated attacker could use this flaw to write to a destination outside the gluster volume. Mitigation To limit exposure of gluster server nodes : 1. gluster server should be on LAN and not reachable from public...

CVE-2018-10928

A flaw was found in RPC request using gfs3symlinkreq in glusterfs server which allows symlink destinations to point to file paths outside of the gluster volume. An authenticated attacker could use this flaw to create arbitrary symlinks pointing anywhere on the server and execute arbitrary code on...

CVE-2018-10923

It was found that the "mknod" call derived from mknod2 can create files pointing to devices on a glusterfs server node. An authenticated attacker could use this to create an arbitrary device and read data from any device attached to the glusterfs server node. Mitigation To limit exposure of glust...

CVE-2018-1112

glusterfs server before versions 3.10.12, 4.0.2 is vulnerable when using 'auth.allow' option which allows any unauthenticated gluster client to connect from any network to mount gluster storage volumes. NOTE: this vulnerability exists because of a CVE-2018-1088 regression...