Vulnerability Details : CVE-2018-14651
It was found that the fix for CVE-2018-10927, CVE-2018-10928, CVE-2018-10929, CVE-2018-10930, and CVE-2018-10926 was incomplete. A remote, authenticated attacker could use one of these flaws to execute arbitrary code, create arbitrary files, or cause denial of service on glusterfs server nodes via symlinks to relative paths.
Vulnerability category: Execute codeDenial of service
Products affected by CVE-2018-14651
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:gluster:glusterfs:*:*:*:*:*:*:*:*
- cpe:2.3:a:gluster:glusterfs:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-14651
0.29%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 68 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-14651
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST | |
8.8
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST | |
8.8
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
Red Hat, Inc. |
CWE ids for CVE-2018-14651
-
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.Assigned by:
- nvd@nist.gov (Secondary)
- secalert@redhat.com (Primary)
References for CVE-2018-14651
-
https://security.gentoo.org/glsa/201904-06
GlusterFS: Multiple Vulnerabilities (GLSA 201904-06) — Gentoo security
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14651
1632557 – (CVE-2018-14651) CVE-2018-14651 glusterfs: glusterfs server exploitable via symlinks to relative pathsIssue Tracking;Patch;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:3432
RHSA-2018:3432 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2018/11/msg00003.html
[SECURITY] [DLA 1565-1] glusterfs security updateThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:3431
RHSA-2018:3431 - Security Advisory - Red Hat Customer PortalThird Party Advisory
Jump to