CVE-2018-10841

NameCVE-2018-10841
Descriptionglusterfs is vulnerable to privilege escalation on gluster server nodes. An authenticated gluster client via TLS could use gluster cli with --remote-host command to add it self to trusted storage pool and perform privileged gluster operations like adding other machines to trusted storage pool, start, stop, and delete volumes.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)
Debian Bugs901968

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
glusterfs (PTS)jessie3.5.2-2+deb8u3fixed
jessie (security)3.5.2-2+deb8u5fixed
stretch3.8.8-1vulnerable
buster, sid5.1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
glusterfssource(unstable)4.1.2-1medium901968
glusterfssourcejessie(not affected)

Notes

[jessie] - glusterfs <not-affected> (vulnerable code not present)
https://review.gluster.org/#/c/20328/
http://git.gluster.org/cgit/glusterfs.git/commit/?id=e8d928e34680079e42be6947ffacc4ddd7defca2

Search for package or bug name: Reporting problems