Vulnerability Details CVE-2018-10911
A flaw was found in the way dic_unserialize function of glusterfs does not handle negative key length values. An attacker could use this flaw to read memory from other locations into the stored dict value.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.046
EPSS Ranking 88.8%
CVSS Severity
CVSS v3 Score 6.5
CVSS v2 Score 5.0
References
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00035.html
- https://access.redhat.com/errata/RHSA-2018:2607
- https://access.redhat.com/errata/RHSA-2018:2608
- https://access.redhat.com/errata/RHSA-2018:2892
- https://access.redhat.com/errata/RHSA-2018:3242
- https://access.redhat.com/errata/RHSA-2018:3470
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10911
- https://lists.debian.org/debian-lts-announce/2018/09/msg00021.html
- https://lists.debian.org/debian-lts-announce/2021/11/msg00000.html
- https://review.gluster.org/#/c/glusterfs/+/21067/
- https://security.gentoo.org/glsa/201904-06
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00035.html
- https://access.redhat.com/errata/RHSA-2018:2607
- https://access.redhat.com/errata/RHSA-2018:2608
- https://access.redhat.com/errata/RHSA-2018:2892
- https://access.redhat.com/errata/RHSA-2018:3242
- https://access.redhat.com/errata/RHSA-2018:3470
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10911
- https://lists.debian.org/debian-lts-announce/2018/09/msg00021.html
- https://lists.debian.org/debian-lts-announce/2021/11/msg00000.html
- https://review.gluster.org/#/c/glusterfs/+/21067/
- https://security.gentoo.org/glsa/201904-06
Products affected by CVE-2018-10911
-
cpe:2.3:a:gluster:glusterfs:3.12.0
-
cpe:2.3:a:gluster:glusterfs:3.12.1
-
cpe:2.3:a:gluster:glusterfs:3.12.10
-
cpe:2.3:a:gluster:glusterfs:3.12.11
-
cpe:2.3:a:gluster:glusterfs:3.12.12
-
cpe:2.3:a:gluster:glusterfs:3.12.13
-
cpe:2.3:a:gluster:glusterfs:3.12.2
-
cpe:2.3:a:gluster:glusterfs:3.12.3
-
cpe:2.3:a:gluster:glusterfs:3.12.4
-
cpe:2.3:a:gluster:glusterfs:3.12.5
-
cpe:2.3:a:gluster:glusterfs:3.12.6
-
cpe:2.3:a:gluster:glusterfs:3.12.7
-
cpe:2.3:a:gluster:glusterfs:3.12.8
-
cpe:2.3:a:gluster:glusterfs:3.12.9
-
cpe:2.3:a:gluster:glusterfs:4.1.0
-
cpe:2.3:a:gluster:glusterfs:4.1.1
-
cpe:2.3:a:gluster:glusterfs:4.1.2
-
cpe:2.3:a:gluster:glusterfs:4.1.3
-
cpe:2.3:a:gluster:glusterfs:4.1.4
-
cpe:2.3:a:gluster:glusterfs:4.1.5
-
cpe:2.3:a:gluster:glusterfs:4.1.6
-
cpe:2.3:a:gluster:glusterfs:4.1.7
-
cpe:2.3:a:redhat:virtualization_host:4.0
-
cpe:2.3:o:debian:debian_linux:8.0
-
cpe:2.3:o:debian:debian_linux:9.0
-
cpe:2.3:o:opensuse:leap:15.1
-
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0
-
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0
-
cpe:2.3:o:redhat:enterprise_linux_server:6.0
-
cpe:2.3:o:redhat:enterprise_linux_server:7.0
-
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0
-
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0