Description
glusterfs server before versions 3.10.12, 4.0.2 is vulnerable when using 'auth.allow' option which allows any unauthenticated gluster client to connect from any network to mount gluster storage volumes. NOTE: this vulnerability exists because of a CVE-2018-1088 regression.
References (6)
Core 6
Core References
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1112
Vendor Advisory x_refsource_confirm
https://review.gluster.org/#/c/19899/1..2
Third Party Advisory x_refsource_confirm
https://access.redhat.com/articles/3422521
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:1268
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:1269
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00035.html
Scores
CVSS v3
8.0
EPSS
0.0238
EPSS Percentile
81.8%
Attack Vector
ADJACENT_NETWORK
CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-287
Status
published
Products (2)
gluster/glusterfs
4.0.2
gluster/glusterfs
< 3.10.12
Published
Apr 25, 2018
Tracked Since
Feb 18, 2026