CVE-2018-1088
Published: 18 April 2018
A privilege escalation flaw was found in gluster 3.x snapshot scheduler. Any gluster client allowed to mount gluster volumes could also mount shared gluster storage volume and escalate privileges by scheduling malicious cronjob via symlink.
From the Ubuntu Security Team
It was discovered that GlusterFS incorrectly handled mounting gluster volumes. An attacker could possibly use this issue to also mount shared gluster volumes and escalate privileges through malicious cronjobs.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
glusterfs Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
| bionic |
Released
(3.13.2-1ubuntu1+esm1)
Available with Ubuntu Pro |
|
| cosmic |
Not vulnerable
(4.0.2-1)
|
|
| disco |
Not vulnerable
(4.0.2-1)
|
|
| eoan |
Not vulnerable
(4.0.2-1)
|
|
| focal |
Not vulnerable
(4.0.2-1)
|
|
| groovy |
Not vulnerable
(4.0.2-1)
|
|
| hirsute |
Not vulnerable
(4.0.2-1)
|
|
| impish |
Not vulnerable
(4.0.2-1)
|
|
| jammy |
Not vulnerable
(4.0.2-1)
|
|
| kinetic |
Not vulnerable
(4.0.2-1)
|
|
| lunar |
Not vulnerable
(4.0.2-1)
|
|
| trusty |
Not vulnerable
(code not present)
|
|
| upstream |
Needs triage
|
|
| xenial |
Released
(3.7.6-1ubuntu1+esm1)
Available with Ubuntu Pro |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 8.1 |
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |