{"containers": {"cna": {"affected": [{"product": "glusterfs", "vendor": "Red Hat", "versions": [{"status": "affected", "version": "all"}]}], "datePublic": "2018-06-20T00:00:00", "descriptions": [{"lang": "en", "value": "glusterfs is vulnerable to privilege escalation on gluster server nodes. An authenticated gluster client via TLS could use gluster cli with --remote-host command to add it self to trusted storage pool and perform privileged gluster operations like adding other machines to trusted storage pool, start, stop, and delete volumes."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-288", "description": "CWE-288", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-11-02T02:06:37", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10841"}, {"name": "RHSA-2018:1955", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:1955"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://review.gluster.org/#/c/20328/"}, {"name": "RHSA-2018:1954", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:1954"}, {"name": "GLSA-201904-06", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201904-06"}, {"name": "[debian-lts-announce] 20211101 [SECURITY] [DLA 2806-1] glusterfs security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00000.html"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T07:46:47.063Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10841"}, {"name": "RHSA-2018:1955", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:1955"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://review.gluster.org/#/c/20328/"}, {"name": "RHSA-2018:1954", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:1954"}, {"name": "GLSA-201904-06", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/201904-06"}, {"name": "[debian-lts-announce] 20211101 [SECURITY] [DLA 2806-1] glusterfs security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00000.html"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2018-10841", "datePublished": "2018-06-20T18:00:00", "dateReserved": "2018-05-09T00:00:00", "dateUpdated": "2024-08-05T07:46:47.063Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gluster:glusterfs:*:*:*:*:*:*:*:*", "matchCriteriaId": "E1E7DD58-1DE9-4E2C-A091-99F80B6ACA14", "versionEndExcluding": "4.1.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "glusterfs is vulnerable to privilege escalation on gluster server nodes. An authenticated gluster client via TLS could use gluster cli with --remote-host command to add it self to trusted storage pool and perform privileged gluster operations like adding other machines to trusted storage pool, start, stop, and delete volumes."}, {"lang": "es", "value": "glusterfs es vulnerable a un escalado de privilegios en los nodos del servidor gluster. Un cliente gluster autenticado mediante TLS podr\u00eda emplear la interfaz de l\u00ednea de comandos de gluster con el comando --remote-host para a\u00f1adirse a s\u00ed mismo al pool de almacenamiento fiable y realizar operaciones gluster privilegiadas, como la adici\u00f3n de otras m\u00e1quinas al pool de almacenamiento fiable, iniciar, detener y eliminar vol\u00famenes."}], "id": "CVE-2018-10841", "lastModified": "2024-11-21T03:42:07.263", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 0.7, "impactScore": 5.9, "source": "secalert@redhat.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-06-20T18:29:00.233", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1954"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1955"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10841"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00000.html"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://review.gluster.org/#/c/20328/"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/201904-06"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1954"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:1955"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10841"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00000.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://review.gluster.org/#/c/20328/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/201904-06"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-288"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2018:1955", "cpe": "cpe:/a:redhat:storage:3:client:el6", "package": "glusterfs-0:3.8.4-54.11.el6", "product_name": "Native Client for RHEL 6 for Red Hat Storage", "release_date": "2018-06-20T00:00:00Z"}, {"advisory": "RHSA-2018:1954", "cpe": "cpe:/a:redhat:storage:3:client:el7", "package": "glusterfs-0:3.8.4-54.10.el7", "product_name": "Native Client for RHEL 7 for Red Hat Storage", "release_date": "2018-06-20T00:00:00Z"}, {"advisory": "RHSA-2018:1955", "cpe": "cpe:/a:redhat:storage:3.3:server:el6", "package": "glusterfs-0:3.8.4-54.11.el6rhs", "product_name": "Red Hat Gluster Storage 3.3 for RHEL 6", "release_date": "2018-06-20T00:00:00Z"}, {"advisory": "RHSA-2018:1954", "cpe": "cpe:/a:redhat:storage:3.3:server:el7", "package": "glusterfs-0:3.8.4-54.10.el7rhgs", "product_name": "Red Hat Gluster Storage 3.3 for RHEL 7", "release_date": "2018-06-20T00:00:00Z"}, {"advisory": "RHSA-2018:1954", "cpe": "cpe:/o:redhat:enterprise_linux:7::hypervisor", "package": "glusterfs-0:3.8.4-54.10.el7", "product_name": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 7", "release_date": "2018-06-20T00:00:00Z"}], "bugzilla": {"description": "glusterfs: access trusted peer group via remote-host command", "id": "1582043", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1582043"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.6", "cvss3_scoring_vector": "CVSS:3.0/AV:A/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-287", "details": ["glusterfs is vulnerable to privilege escalation on gluster server nodes. An authenticated gluster client via TLS could use gluster cli with --remote-host command to add it self to trusted storage pool and perform privileged gluster operations like adding other machines to trusted storage pool, start, stop, and delete volumes.", "A flaw was found in glusterfs which can lead to privilege escalation on gluster server nodes. An authenticated gluster client via TLS could use gluster cli with --remote-host command to add it self to trusted storage pool and perform privileged gluster operations like adding other machines to trusted storage pool, start, stop, and delete volumes."], "name": "CVE-2018-10841", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "glusterfs", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "glusterfs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:rhev_hypervisor:4", "fix_state": "Not affected", "package_name": "redhat-virtualization-host", "product_name": "Red Hat Virtualization 4"}], "public_date": "2018-06-20T10:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2018-10841\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-10841"], "statement": "Red Hat Enterprise Linux 6, 7 are not affected by this flaw as it only affects glusterfs-server package. Red Hat Virtualization Hypervisor is not impacted by this flaw, as it uses gluster in a controlled manner via vdsm.", "threat_severity": "Important"}