CVE-2018-10841

NameCVE-2018-10841
Descriptionglusterfs is vulnerable to privilege escalation on gluster server nodes. An authenticated gluster client via TLS could use gluster cli with --remote-host command to add it self to trusted storage pool and perform privileged gluster operations like adding other machines to trusted storage pool, start, stop, and delete volumes.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs901968

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
glusterfs (PTS)stretch3.8.8-1vulnerable
buster5.5-3fixed
bullseye9.2-1fixed
bookworm, sid9.3-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
glusterfssourcejessie(not affected)
glusterfssource(unstable)4.1.2-1901968

Notes

[stretch] - glusterfs <no-dsa> (Minor issue; can be fixed via point release)
[jessie] - glusterfs <not-affected> (vulnerable code not present)
https://review.gluster.org/#/c/20328/
http://git.gluster.org/cgit/glusterfs.git/commit/?id=e8d928e34680079e42be6947ffacc4ddd7defca2

Search for package or bug name: Reporting problems