Vulnerability Details : CVE-2018-14661
It was found that usage of snprintf function in feature/locks translator of glusterfs server 3.8.4, as shipped with Red Hat Gluster Storage, was vulnerable to a format string attack. A remote, authenticated attacker could use this flaw to cause remote denial of service.
Vulnerability category: OverflowInput validationDenial of service
Products affected by CVE-2018-14661
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:virtualization:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:virtualization_host:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:gluster:glusterfs:3.8.4:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-14661
0.78%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 82 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-14661
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:N/I:N/A:P |
8.0
|
2.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
2.8
|
3.6
|
Red Hat, Inc. | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
2.8
|
3.6
|
NIST |
CWE ids for CVE-2018-14661
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: secalert@redhat.com (Primary)
-
The product uses a function that accepts a format string as an argument, but the format string originates from an external source.Assigned by: nvd@nist.gov (Secondary)
References for CVE-2018-14661
-
https://security.gentoo.org/glsa/201904-06
GlusterFS: Multiple Vulnerabilities (GLSA 201904-06) — Gentoo securityThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:3470
RHSA-2018:3470 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14661
1636880 – (CVE-2018-14661) CVE-2018-14661 glusterfs: features/locks translator passes an user-controlled string to snprintf without a proper format string resulting in a denial of serviceIssue Tracking;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2021/11/msg00000.html
[SECURITY] [DLA 2806-1] glusterfs security updateMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:3432
RHSA-2018:3432 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2018/11/msg00003.html
[SECURITY] [DLA 1565-1] glusterfs security updateMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:3431
RHSA-2018:3431 - Security Advisory - Red Hat Customer PortalThird Party Advisory
Jump to