Symlink Flaw in GlusterFS Server Allows File Path Manipulation
CVE-2018-10928

8.8HIGH

Key Information:

Vendor: Red Hat
Status: Glusterfs
Vendor: CVE Published:; 4 September 2018

What is CVE-2018-10928?

A flaw exists in the RPC request handling of the GlusterFS server, specifically in the gfs3_symlink_req function. This issue allows attackers with authentication to create symlinks that lead to file paths outside the Gluster volume, posing a risk of manipulation and arbitrary code execution on server nodes. Proper security measures should be taken to mitigate the effects of this vulnerability, as it can lead to compromised server integrity.

Affected Version(s)

glusterfs

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10928

x_refsource_CONFIRM

https://access.redhat.com/errata/RHSA-2018:2607

vendor-advisoryx_refsource_REDHAT

https://lists.debian.org/debian-lts-announce/2018/09/msg0...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 4, 2018
Vulnerability Reserved
May 9, 2018

Red Hat

What is CVE-2018-10928?

Affected Version(s)

References

CVSS V3.1

Timeline