Gluster: >> Glusterfs >> 4.1.4 Security Vulnerabilities
It was found that glusterfs server does not properly sanitize file paths in the "trusted.io-stats-dump" extended attribute which is used by the "debug/io-stats" translator. Attacker can use this flaw to create files and execute arbitrary code. To exploit this attacker would require sufficient access to modify the extended attributes of files on a gluster volume.
CVSS Score
8.8
EPSS Score
0.013
Published
2018-09-04
glusterfs is vulnerable to privilege escalation on gluster server nodes. An authenticated gluster client via TLS could use gluster cli with --remote-host command to add it self to trusted storage pool and perform privileged gluster operations like adding other machines to trusted storage pool, start, stop, and delete volumes.
CVSS Score
6.6
EPSS Score
0.003
Published
2018-06-20
Page 2