PT-2018-3746 · Red Hat+3 · Gluster+3

Pedro Sampaio

Published

2018-04-18

Updated

2023-02-13

CVE-2018-1088

CVSS v3.1

8.1

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions gluster versions 3.x

Description The issue is related to a privilege escalation flaw in the gluster snapshot scheduler, which can be exploited by scheduling a malicious cronjob via symlink. This flaw allows an attacker to escalate privileges if they are allowed to mount gluster volumes.

Recommendations For gluster version 3.x, consider restricting access to the snapshot scheduler to prevent malicious cronjob scheduling until a patch is available. As a temporary workaround, consider disabling the shared gluster storage volume mounting capability for gluster clients to minimize the risk of exploitation.

Exploit

Fix

Incorrect Privilege Assignment

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-266

Related Identifiers

ALT-PU-2018-1730

BDU:2021-04142

CVE-2018-1088

DLA-2806-1

OPENSUSE-SU-2020:0079-1

OPENSUSE-SU-2020_0079-1

OPENSUSE-SU-2024:10794-1

RHSA-2018:1136

RHSA-2018:1137

RHSA-2018:1275

RHSA-2018:1524

USN-4770-1

Affected Products

Alt Linux

Suse

Ubuntu

Gluster

PT-2018-3746 · Red Hat+3 · Gluster+3

CVE-2018-1088

Weakness Enumeration

Related Identifiers

Affected Products

References · 75