CVE-2018-10911

HIGH

Glusterfs < 3.12.14 - Integer Overflow

Title source: rule

Description

A flaw was found in the way dic_unserialize function of glusterfs does not handle negative key length values. An attacker could use this flaw to read memory from other locations into the stored dict value.

References (11)

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00035.html

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2018:2607

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2018:2608

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2018:2892

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2018:3242

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2018:3470

[Issue Tracking, Third Party Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10911

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2018/09/msg00021.html

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2021/11/msg00000.html

[Patch, Vendor Advisory] https://review.gluster.org/#/c/glusterfs/+/21067/

[Third Party Advisory] https://security.gentoo.org/glsa/201904-06

Scores

CVSS v3 7.5

EPSS 0.0455

EPSS Percentile 89.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-190 CWE-200 CWE-502

Status published

Affected Products (11)

gluster/glusterfs < 3.12.14

redhat/virtualization_host

redhat/enterprise_linux_desktop

redhat/enterprise_linux_server

redhat/enterprise_linux_workstation

debian/debian_linux

opensuse/leap

Timeline

Published Sep 04, 2018

Tracked Since Feb 18, 2026