CVE-2018-10928

high

Description

A flaw was found in RPC request using gfs3_symlink_req in glusterfs server which allows symlink destinations to point to file paths outside of the gluster volume. An authenticated attacker could use this flaw to create arbitrary symlinks pointing anywhere on the server and execute arbitrary code on glusterfs server nodes.

References

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00035.html

https://access.redhat.com/errata/RHSA-2018:2607

https://access.redhat.com/errata/RHSA-2018:2608

https://access.redhat.com/errata/RHSA-2018:3470

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10928

https://lists.debian.org/debian-lts-announce/2018/09/msg00021.html

https://lists.debian.org/debian-lts-announce/2021/11/msg00000.html

https://security.gentoo.org/glsa/201904-06

Details

Source: Mitre, NVD

Published: 2018-09-04

Risk Information

CVSS v2

Base Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High