CVE-2018-10841
HIGHglusterfs < 4.1.8 - Authenticated Privilege Escalation via Trusted Storage Pool Manipulation
Title source: llmDescription
glusterfs is vulnerable to privilege escalation on gluster server nodes. An authenticated gluster client via TLS could use gluster cli with --remote-host command to add it self to trusted storage pool and perform privileged gluster operations like adding other machines to trusted storage pool, start, stop, and delete volumes.
References (6)
Core 6
Core References
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10841
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:1955
Patch, Third Party Advisory x_refsource_confirm
https://review.gluster.org/#/c/20328/
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:1954
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201904-06
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/11/msg00000.html
Scores
CVSS v3
8.8
EPSS
0.0128
EPSS Percentile
66.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-288
Status
published
Products (2)
debian/debian_linux
9.0
gluster/glusterfs
< 4.1.8
Published
Jun 20, 2018
Tracked Since
Feb 18, 2026