{"containers": {"cna": {"affected": [{"product": "glusterfs", "vendor": "Red Hat", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-09-04T00:00:00", "descriptions": [{"lang": "en", "value": "A flaw was found in RPC request using gfs3_rename_req in glusterfs server. An authenticated attacker could use this flaw to write to a destination outside the gluster volume."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-11-02T02:06:18", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10930"}, {"name": "RHSA-2018:2607", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:2607"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://review.gluster.org/#/c/glusterfs/+/21068/"}, {"name": "[debian-lts-announce] 20180920 [SECURITY] [DLA 1510-1] glusterfs security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2018/09/msg00021.html"}, {"name": "RHSA-2018:2608", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:2608"}, {"name": "RHSA-2018:3470", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2018:3470"}, {"name": "GLSA-201904-06", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201904-06"}, {"name": "openSUSE-SU-2020:0079", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00035.html"}, {"name": "[debian-lts-announce] 20211101 [SECURITY] [DLA 2806-1] glusterfs security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00000.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2018-10930", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "glusterfs", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "Red Hat"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A flaw was found in RPC request using gfs3_rename_req in glusterfs server. An authenticated attacker could use this flaw to write to a destination outside the gluster volume."}]}, "impact": {"cvss": [[{"vectorString": "6.5/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}]]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-20"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10930", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10930"}, {"name": "RHSA-2018:2607", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:2607"}, {"name": "https://review.gluster.org/#/c/glusterfs/+/21068/", "refsource": "CONFIRM", "url": "https://review.gluster.org/#/c/glusterfs/+/21068/"}, {"name": "[debian-lts-announce] 20180920 [SECURITY] [DLA 1510-1] glusterfs security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2018/09/msg00021.html"}, {"name": "RHSA-2018:2608", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:2608"}, {"name": "RHSA-2018:3470", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2018:3470"}, {"name": "GLSA-201904-06", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201904-06"}, {"name": "openSUSE-SU-2020:0079", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00035.html"}, {"name": "[debian-lts-announce] 20211101 [SECURITY] [DLA 2806-1] glusterfs security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00000.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T07:54:35.444Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10930"}, {"name": "RHSA-2018:2607", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:2607"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://review.gluster.org/#/c/glusterfs/+/21068/"}, {"name": "[debian-lts-announce] 20180920 [SECURITY] [DLA 1510-1] glusterfs security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2018/09/msg00021.html"}, {"name": "RHSA-2018:2608", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:2608"}, {"name": "RHSA-2018:3470", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2018:3470"}, {"name": "GLSA-201904-06", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/201904-06"}, {"name": "openSUSE-SU-2020:0079", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00035.html"}, {"name": "[debian-lts-announce] 20211101 [SECURITY] [DLA 2806-1] glusterfs security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00000.html"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2018-10930", "datePublished": "2018-09-04T16:00:00", "dateReserved": "2018-05-09T00:00:00", "dateUpdated": "2024-08-05T07:54:35.444Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gluster:glusterfs:*:*:*:*:*:*:*:*", "matchCriteriaId": "6DB9B638-7178-494D-BC59-5571F509C580", "versionEndExcluding": "3.12.14", "versionStartIncluding": "3.12", "vulnerable": true}, {"criteria": "cpe:2.3:a:gluster:glusterfs:*:*:*:*:*:*:*:*", "matchCriteriaId": "3C247725-8819-4CA9-9601-6FF75B5905C7", "versionEndExcluding": "4.1.4", "versionStartIncluding": "4.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "51EF4996-72F4-4FA4-814F-F5991E7A8318", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:virtualization:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "6BBD7A51-0590-4DDF-8249-5AFA8D645CB6", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:virtualization_host:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "BB28F9AF-3D06-4532-B397-96D7E4792503", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in RPC request using gfs3_rename_req in glusterfs server. An authenticated attacker could use this flaw to write to a destination outside the gluster volume."}, {"lang": "es", "value": "Se ha detectado un error en las peticiones RPC que emplean gfs3_rename_req en el servidor glusterfs. Un atacante autenticado podr\u00eda emplear este error para escribir a un destino fuera del volumen gluster."}], "id": "CVE-2018-10930", "lastModified": "2021-12-10T19:41:31.090", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-09-04T16:29:00.347", "references": [{"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00035.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:2607"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:2608"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2018:3470"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10930"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2018/09/msg00021.html"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/11/msg00000.html"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://review.gluster.org/#/c/glusterfs/+/21068/"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/201904-06"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "secalert@redhat.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Michael Hanselmann (hansmi.ch) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2018:2608", "cpe": "cpe:/a:redhat:storage:3:client:el6", "package": "glusterfs-0:3.12.2-18.el6", "product_name": "Native Client for RHEL 6 for Red Hat Storage", "release_date": "2018-09-04T00:00:00Z"}, {"advisory": "RHSA-2018:2607", "cpe": "cpe:/a:redhat:storage:3:client:el7", "package": "glusterfs-0:3.12.2-18.el7", "product_name": "Native Client for RHEL 7 for Red Hat Storage", "release_date": "2018-09-04T00:00:00Z"}, {"advisory": "RHSA-2018:2608", "cpe": "cpe:/a:redhat:storage:3.4:server:el6", "package": "glusterfs-0:3.12.2-18.el6rhs", "product_name": "Red Hat Gluster Storage 3.4 for RHEL 6", "release_date": "2018-09-04T00:00:00Z"}, {"advisory": "RHSA-2018:2608", "cpe": "cpe:/a:redhat:storage:3.4:server:el6", "package": "redhat-release-server-0:6Server-6.10.0.24.el6rhs", "product_name": "Red Hat Gluster Storage 3.4 for RHEL 6", "release_date": "2018-09-04T00:00:00Z"}, {"advisory": "RHSA-2018:2608", "cpe": "cpe:/a:redhat:storage:3.4:server:el6", "package": "redhat-storage-server-0:3.4.0.0-1.el6rhs", "product_name": "Red Hat Gluster Storage 3.4 for RHEL 6", "release_date": "2018-09-04T00:00:00Z"}, {"advisory": "RHSA-2018:2607", "cpe": "cpe:/a:redhat:storage:3.4:server:el7", "package": "glusterfs-0:3.12.2-18.el7rhgs", "product_name": "Red Hat Gluster Storage 3.4 for RHEL 7", "release_date": "2018-09-04T00:00:00Z"}, {"advisory": "RHSA-2018:2607", "cpe": "cpe:/a:redhat:storage:3.4:server:el7", "package": "redhat-release-server-0:7.5-11.el7rhgs", "product_name": "Red Hat Gluster Storage 3.4 for RHEL 7", "release_date": "2018-09-04T00:00:00Z"}, {"advisory": "RHSA-2018:2607", "cpe": "cpe:/a:redhat:storage:3.4:server:el7", "package": "redhat-storage-server-0:3.4.0.0-1.el7rhgs", "product_name": "Red Hat Gluster Storage 3.4 for RHEL 7", "release_date": "2018-09-04T00:00:00Z"}, {"advisory": "RHSA-2018:2607", "cpe": "cpe:/o:redhat:enterprise_linux:7::hypervisor", "impact": "moderate", "package": "glusterfs-0:3.12.2-18.el7", "product_name": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 7", "release_date": "2018-09-04T00:00:00Z"}, {"advisory": "RHSA-2018:3470", "cpe": "cpe:/o:redhat:enterprise_linux:7::hypervisor", "impact": "moderate", "package": "imgbased-0:1.0.29-1.el7ev", "product_name": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 7", "release_date": "2018-11-05T00:00:00Z"}, {"advisory": "RHSA-2018:3470", "cpe": "cpe:/o:redhat:enterprise_linux:7::hypervisor", "impact": "moderate", "package": "redhat-release-virtualization-host-0:4.2-7.3.el7", "product_name": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 7", "release_date": "2018-11-05T00:00:00Z"}, {"advisory": "RHSA-2018:3470", "cpe": "cpe:/o:redhat:enterprise_linux:7::hypervisor", "impact": "moderate", "package": "redhat-virtualization-host-0:4.2-20181026.0.el7_6", "product_name": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 7", "release_date": "2018-11-05T00:00:00Z"}], "bugzilla": {"description": "glusterfs: Files can be renamed outside volume", "id": "1612664", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1612664"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "status": "verified"}, "cwe": "CWE-20", "details": ["A flaw was found in RPC request using gfs3_rename_req in glusterfs server. An authenticated attacker could use this flaw to write to a destination outside the gluster volume.", "A flaw was found in RPC request using gfs3_rename_req in glusterfs server. An authenticated attacker could use this flaw to write to a destination outside the gluster volume."], "mitigation": {"lang": "en:us", "value": "To limit exposure of gluster server nodes : \n1. gluster server should be on LAN and not reachable from public networks. \n2. Use gluster auth.allow and auth.reject. \n3. Use TLS certificates to authenticate gluster clients.\ncaveat: This does not protect from attacks by authenticated gluster clients."}, "name": "CVE-2018-10930", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "glusterfs", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "glusterfs", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "glusterfs", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2018-09-04T05:30:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2018-10930\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-10930"], "statement": "This issue did not affect Red Hat Enterprise Linux 6 and 7 as the flaw is present in glusterfs-server, which is not shipped there.\nThis flaw affects glusterfs versions included in Red Hat Virtualization 4 Hypervisor. However, in recommended configurations, the vulnerability is only exposed to hypervisor administrators and can not be exploited from virtual machines or other hosts on the network. For Red Hat Virtualization, Product Security has rated this flaw as Moderate. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", "threat_severity": "Important", "upstream_fix": "glusterfs 3.12.14, glusterfs 4.1.4"}