23 matches found
CVE-2018-10930
CVE-2018-10930 affects GlusterFS server: an authenticated attacker can misuse RPC gfs3_rename_req to write outside the gluster volume. Affected product variant shown in connected docs is PowerKVM 3.1; remediation provided via updates to GlusterFS (e.g., Red Hat/CentOS advisories and Debian LTS no...
CVE-2018-10926
CVE-2018-10926 affects GlusterFS: a flaw in RPC handling of gfs3_mknod_req allows an authenticated remote attacker to write files to arbitrary locations via path traversal and execute arbitrary code on the glusterfs server. The issue is addressed in multiple advisories across distributions (e.g.,...
CVE-2018-10929
CVE-2018-10929 affects GlusterFS (server side), where an authenticated attacker could exploit improper validation in the RPC path (gfs2_create_req) to create arbitrary files and potentially execute arbitrary code on storage server nodes. Connected advisories reference multiple vendors (Debian, Re...
CVE-2018-10928
GlusterFS vulnerability CVE-2018-10928: an authenticated remote attacker could exploit improper validation of RPC requests via gfs3_symlink_req to create arbitrary symlinks outside the volume and potentially execute code on the server. Public advisories document multiple remediation streams acros...
CVE-2018-10927
CVE-2018-10927 affects GlusterFS where an authenticated attacker could abuse RPC gfs3_lookup_req to leak information and cause remote denial of service by crashing the gluster brick process. Exploitation details in connected IBM PowerKVM advisory tied to PowerKVM 3.1; fixed in PowerKVM 3.1.0.2 up...
CVE-2018-10907
CVE-2018-10907 is a vulnerability in GlusterFS where the server-rpc-fopc.c code path allocates fixed-size buffers with alloca(3). An authenticated attacker mounting a Gluster volume could send a string longer than the fixed buffer, causing a stack-based overflow that may crash the glusterfs serve...
CVE-2018-10904
CVE-2018-10904 affects GlusterFS servers. The vulnerability arises from improper sanitization of file paths in the trusted.io-stats-dump extended attribute used by the debug/io-stats translator. An attacker with sufficient access to modify extended attributes on a Gluster volume can create files ...
CVE-2018-10911
CVE-2018-10911 affects glusterfs; the dict_unserialize function mishandles negative key length values, allowing a remote attacker to read memory from other locations into the stored dict value. The IBM PowerKVM advisory (and related Red Hat/CentOS/Debian advisories) document remote-authenticated/...
CVE-2018-10913
CVE-2018-10913 affects GlusterFS server. The vulnerability allows an attacker to issue a xattr request via GlusterFS FUSE to determine the existence of files, causing an information disclosure. The connected Nessus/EulerOS Debian advisories list CVE-2018-10913 among multiple GlusterFS issues and ...
CVE-2018-10914
CVE-2018-10914 is a GlusterFS vulnerability where an attacker can issue a xattr request via glusterfs FUSE to crash the gluster brick process, and if multiplexing is enabled, cause crashes across multiple bricks and volumes, enabling a remote denial of service. The issue is documented across mult...
CVE-2018-10923
CVE-2018-10923 affects GlusterFS server. The description in the connected documents shows that the vulnerability arises from the mknod(2) pathway, allowing an authenticated attacker to create device files on a GlusterFS server node and read data from any device attached to the server. This indica...
CVE-2018-14660
CVE-2018-14660 : A flaw in GlusterFS server (versions up to 4.1.4 and 3.1.2) lets a remote, authenticated attacker repeatedly call setxattr on GF_META_LOCK_KEY to create multiple locks for a single inode, leading to memory exhaustion on the GlusterFS server node. Connected documents confirm Glust...
CVE-2018-1112
Summary (CVE-2018-1112) GlusterFS server before 3.10.12 and 4.0.2 is vulnerable when using the auth.allow option. This allows any unauthenticated Gluster client to connect from any network and mount Gluster volumes. The issue is a regression from CVE-2018-1088. Connected advisories corroborate th...
CVE-2018-14661
Technical details for CVE-2018-14661 are not provided in the connected documents. Public information in the initial entry confirms a format-string vulnerability in GlusterFS, but no affected versions, exploit details, or fixes are included here. Monitor for updates.
CVE-2018-14651
CVE-2018-14651 concerns GlusterFS where the fix for several 2018 CVEs (CVE-2018-10927/10926/10928/10929/10930) was incomplete. An authenticated remote attacker could abuse the flawed RPC/xattr/lookup handling to execute arbitrary code, create files, or cause denial of service on GlusterFS server ...
CVE-2018-10924
CVE-2018-10924: GlusterFS is affected by a memory leak in the fsync(2) path of the GlusterFS client code. The leaky memory can be exploited by an authenticated attacker to trigger a denial-of-service via host memory exhaustion. The description does not specify affected versions or a published fix...
CVE-2018-10841
GlusterFS on server nodes is vulnerable to privilege escalation via an authenticated TLS client that uses gluster CLI --remote-host to add itself to the trusted storage pool and perform privileged operations (e.g., managing volumes). The description specifies the root cause as a trust-pool escala...
CVE-2023-26253
In CVE-2023-26253, GlusterFS 11.0 is affected by a stack-based buffer over-read in xlators/mount/fuse/src/fuse-bridge.c. Public details across multiple Nessus/Astra/euleros entries confirm this vulnerability in GlusterFS 11.0 (no vendor-provided patch applies to older packages). Some advisories n...
CVE-2022-48340
CVE-2022-48340 affects GlusterFS 11.0, with a use-after-free in xlators/cluster/dht/src/dht-common.c: dht_setxattr_mds_cbk. The issue is in the DHT handling code for extended attributes, leading to potential denial of service or arbitrary behavior as indicated by the CVSSv3.1 metrics (AV:N/AC:L/P...
CVE-2017-15096
GlusterFS (glibster?), specifically glusterfsd, is affected in versions prior to 3.10. The issue is a null pointer dereference in send_brick_req() in gf_attach.c, which can lead to a denial of service. The connected advisories/show updates indicate fixed releases (e.g., Fedora updates for gluster...
CVE-2012-4417
CVE-2012-4417 affects GlusterFS 3.3.0 as used in Red Hat Storage Server 2.0, where local users can overwrite arbitrary files via a symlink attack on temporary files with predictable names. The issue is tied to insecure temporary file creation in GlusterFS components; impact is partial confidentia...
CVE-2014-3619
CVE-2014-3619 affects GlusterFS, specifically the __socket_proto_state_machine in GlusterFS 3.5, where a crafted 00000000 fragment header can trigger a remote denial of service via an infinite loop. Multiple connected sources confirm the root cause in the network handling path and document that a...
CVE-2012-5635
The CVE-2012-5635 entry concerns GlusterFS functionality in Red Hat Storage Management Console 2.0, Native Client, and Server 2.0. It is caused by a symlink-based attack that lets local users overwrite arbitrary files via multiple temporary files (e.g., tests/volume.rc, extras/hook-scripts/S30sam...