CVE-2018-1112

moderate-risk

Published 2018-04-25

glusterfs server before versions 3.10.12, 4.0.2 is vulnerable when using 'auth.allow' option which allows any unauthenticated gluster client to connect from any network to mount gluster storage volumes. NOTE: this vulnerability exists because of a CVE-2018-1088 regression.

Do I need to act?

2.0% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.0/10 High

ADJACENT_NETWORK / LOW complexity

Affected Products (2)

Glusterfs

Affected Vendors

Gluster

References (12)

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00035.html

Third Party Advisory https://access.redhat.com/articles/3422521

Third Party Advisory https://access.redhat.com/errata/RHSA-2018:1268

Third Party Advisory https://access.redhat.com/errata/RHSA-2018:1269

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1112

Vendor Advisory https://review.gluster.org/#/c/19899/1..2

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00035.html

Third Party Advisory https://access.redhat.com/articles/3422521

Third Party Advisory https://access.redhat.com/errata/RHSA-2018:1268

Third Party Advisory https://access.redhat.com/errata/RHSA-2018:1269

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1112

Vendor Advisory https://review.gluster.org/#/c/19899/1..2

/ 100

moderate-risk

Severity 25/34 · High

Exploitability 5/34 · Minimal

Exposure 7/34 · Low