CVE-2018-14651
HIGHGlusterFS - Authenticated Symlink Remote Code Execution
Title source: manualDescription
It was found that the fix for CVE-2018-10927, CVE-2018-10928, CVE-2018-10929, CVE-2018-10930, and CVE-2018-10926 was incomplete. A remote, authenticated attacker could use one of these flaws to execute arbitrary code, create arbitrary files, or cause denial of service on glusterfs server nodes via symlinks to relative paths.
References (5)
Core 5
Core References
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14651
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:3431
Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/11/msg00003.html
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:3432
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201904-06
Scores
CVSS v3
8.8
EPSS
0.0208
EPSS Percentile
84.3%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-59
Status
published
Products (4)
debian/debian_linux
8.0
gluster/glusterfs
3.12 - 3.12.14
redhat/enterprise_linux
6.0
redhat/enterprise_linux
7.0
Published
Oct 31, 2018
Tracked Since
Feb 18, 2026