{ "threat_severity" : "Important", "public_date" : "2018-10-31T08:00:00Z", "bugzilla" : { "description" : "glusterfs: glusterfs server exploitable via symlinks to relative paths", "id" : "1632557", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1632557" }, "cvss3" : { "cvss3_base_score" : "8.8", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-59", "details" : [ "It was found that the fix for CVE-2018-10927, CVE-2018-10928, CVE-2018-10929, CVE-2018-10930, and CVE-2018-10926 was incomplete. A remote, authenticated attacker could use one of these flaws to execute arbitrary code, create arbitrary files, or cause denial of service on glusterfs server nodes via symlinks to relative paths.", "It was found that the fix for CVE-2018-10927, CVE-2018-10928, CVE-2018-10929, CVE-2018-10930, and CVE-2018-10926 was incomplete. A remote, authenticated attacker could use one of these flaws to execute arbitrary code, create arbitrary files, or cause denial of service on glusterfs server nodes via symlinks to relative paths." ], "statement" : "This issue did not affect Red Hat Enterprise Linux 6 and 7 as the flaw is present in glusterfs-server, which is not shipped there.", "acknowledgement" : "Red Hat would like to thank Michael Hanselmann (hansmi.ch) for reporting this issue.", "affected_release" : [ { "product_name" : "Native Client for RHEL 6 for Red Hat Storage", "release_date" : "2018-10-31T00:00:00Z", "advisory" : "RHSA-2018:3431", "cpe" : "cpe:/a:redhat:storage:3:client:el6", "package" : "glusterfs-0:3.12.2-25.el6" }, { "product_name" : "Native Client for RHEL 7 for Red Hat Storage", "release_date" : "2018-10-31T00:00:00Z", "advisory" : "RHSA-2018:3432", "cpe" : "cpe:/a:redhat:storage:3:client:el7", "package" : "glusterfs-0:3.12.2-25.el7" }, { "product_name" : "Red Hat Gluster Storage 3.4 for RHEL 6", "release_date" : "2018-10-31T00:00:00Z", "advisory" : "RHSA-2018:3431", "cpe" : "cpe:/a:redhat:storage:3.4:server:el6", "package" : "glusterfs-0:3.12.2-25.el6rhs" }, { "product_name" : "Red Hat Gluster Storage 3.4 for RHEL 6", "release_date" : "2018-10-31T00:00:00Z", "advisory" : "RHSA-2018:3431", "cpe" : "cpe:/a:redhat:storage:3.4:server:el6", "package" : "redhat-storage-server-0:3.4.1.0-1.el6rhs" }, { "product_name" : "Red Hat Gluster Storage 3.4 for RHEL 7", "release_date" : "2018-10-31T00:00:00Z", "advisory" : "RHSA-2018:3432", "cpe" : "cpe:/a:redhat:storage:3.4:server:el7", "package" : "glusterfs-0:3.12.2-25.el7rhgs" }, { "product_name" : "Red Hat Gluster Storage 3.4 for RHEL 7", "release_date" : "2018-10-31T00:00:00Z", "advisory" : "RHSA-2018:3432", "cpe" : "cpe:/a:redhat:storage:3.4:server:el7", "package" : "redhat-storage-server-0:3.4.1.0-1.el7rhgs" }, { "product_name" : "Red Hat Virtualization 4 for Red Hat Enterprise Linux 7", "release_date" : "2018-10-31T00:00:00Z", "advisory" : "RHSA-2018:3432", "cpe" : "cpe:/o:redhat:enterprise_linux:7::hypervisor", "package" : "glusterfs-0:3.12.2-25.el7", "impact" : "moderate" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "glusterfs", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "glusterfs", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "glusterfs", "cpe" : "cpe:/o:redhat:enterprise_linux:8" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2018-14651\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-14651" ], "name" : "CVE-2018-14651", "csaw" : false }