CVE-2018-10841

NameCVE-2018-10841
Descriptionglusterfs is vulnerable to privilege escalation on gluster server nodes. An authenticated gluster client via TLS could use gluster cli with --remote-host command to add it self to trusted storage pool and perform privileged gluster operations like adding other machines to trusted storage pool, start, stop, and delete volumes.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2806-1
Debian Bugs901968

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
glusterfs (PTS)buster5.5-3fixed
bullseye9.2-1fixed
bookworm10.3-5fixed
sid, trixie11.1-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
glusterfssourcejessie(not affected)
glusterfssourcestretch3.8.8-1+deb9u1DLA-2806-1
glusterfssource(unstable)4.1.2-1901968

Notes

[jessie] - glusterfs <not-affected> (vulnerable code not present)
https://review.gluster.org/#/c/20328/
http://git.gluster.org/cgit/glusterfs.git/commit/?id=e8d928e34680079e42be6947ffacc4ddd7defca2
Search for package or bug name: Reporting problems