Candidate: CVE-2018-1088
PublicDate: 2018-04-18 16:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1088
 https://bugzilla.redhat.com/show_bug.cgi?id=1558721
Description:
 A privilege escalation flaw was found in gluster 3.x snapshot scheduler.
 Any gluster client allowed to mount gluster volumes could also mount shared
 gluster storage volume and escalate privileges by scheduling malicious
 cronjob via symlink.
Ubuntu-Description:
 It was discovered that GlusterFS incorrectly handled mounting gluster volumes.
 An attacker could possibly use this issue to also mount shared gluster volumes
 and escalate privileges through malicious cronjobs.
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H [8.1 HIGH]
 nvd: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H [8.1 HIGH]


Patches_glusterfs:
upstream_glusterfs: needs-triage
precise/esm_glusterfs: DNE
trusty_glusterfs: not-affected (code not present)
trusty/esm_glusterfs: not-affected (code not present)
xenial_glusterfs: ignored (end of standard support, was needed)
artful_glusterfs: ignored (reached end-of-life)
bionic_glusterfs: needed
cosmic_glusterfs: not-affected (4.0.2-1)
disco_glusterfs: not-affected (4.0.2-1)
eoan_glusterfs: not-affected (4.0.2-1)
focal_glusterfs: not-affected (4.0.2-1)
groovy_glusterfs: not-affected (4.0.2-1)
hirsute_glusterfs: not-affected (4.0.2-1)
impish_glusterfs: not-affected (4.0.2-1)
jammy_glusterfs: not-affected (4.0.2-1)
devel_glusterfs: not-affected (4.0.2-1)