It was found that glusterfs server does not properly sanitize file paths in
the “trusted.io-stats-dump” extended attribute which is used by the
“debug/io-stats” translator. Attacker can use this flaw to create files and
execute arbitrary code. To exploit this attacker would require sufficient
access to modify the extended attributes of files on a gluster volume.
bugzilla.redhat.com/show_bug.cgi?id=1601298
bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10904
launchpad.net/bugs/cve/CVE-2018-10904
nvd.nist.gov/vuln/detail/CVE-2018-10904
review.gluster.org/#/c/glusterfs/+/21072/
review.gluster.org/21072
security-tracker.debian.org/tracker/CVE-2018-10904
ubuntu.com/security/notices/USN-4770-1
www.cve.org/CVERecord?id=CVE-2018-10904