CVE-2018-14654: Path Traversal
First published: Fri Sep 21 2018(Updated: )
The Gluster file system through version 4.1.4 is vulnerable to abuse of the 'features/index' translator. A remote attacker with access to mount volumes could exploit this via the 'GF_XATTROP_ENTRY_IN_KEY' xattrop to create arbitrary, empty files on the target server.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Redhat Gluster Storage | <=4.1.4 | |
| Redhat Enterprise Linux Server | =6.0 | |
| Redhat Enterprise Linux Server | =7.0 | |
| Redhat Enterprise Linux Virtualization | =4.0 | |
| Redhat Virtualization | =4.0 | |
| Redhat Virtualization Host | =4.0 | |
| Redhat Enterprise Linux Server | =7.0 | |
| Debian Debian Linux | =9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/errata/RHSA-2018:3431
- https://access.redhat.com/errata/RHSA-2018:3432
- https://access.redhat.com/errata/RHSA-2018:3470
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14654
- https://lists.debian.org/debian-lts-announce/2021/11/msg00000.html
- https://security.gentoo.org/glsa/201904-06
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1644580
- https://review.gluster.org/#/c/glusterfs/+/21534/
- https://bugzilla.redhat.com/show_bug.cgi?id=1631576
Frequently Asked Questions
What is CVE-2018-14654?
CVE-2018-14654 is a vulnerability in the Gluster file system through version 4.1.4 that allows a remote attacker to create arbitrary, empty files on the target server.
How can an attacker exploit CVE-2018-14654?
An attacker with access to mount volumes can exploit CVE-2018-14654 by using the 'GF_XATTROP_ENTRY_IN_KEY' xattrop to create arbitrary, empty files on the target server.
Which software versions are affected by CVE-2018-14654?
The affected software versions include Redhat Gluster Storage up to and including version 4.1.4, Redhat Enterprise Linux Server 6.0 and 7.0, Redhat Enterprise Linux Virtualization 4.0, Redhat Virtualization 4.0, Redhat Virtualization Host 4.0, and Debian Debian Linux 9.0.
What is the severity of CVE-2018-14654?
CVE-2018-14654 has a severity value of 6.5, which is considered high.
How do I fix CVE-2018-14654?
To fix CVE-2018-14654, ensure you have updated to a patched version of the Gluster file system. Refer to the provided references for more information.
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2018-14654
- vendor/redhat
- canonical/redhat gluster storage
- version/redhat gluster storage/4.1.4
- canonical/redhat enterprise linux server
- version/redhat enterprise linux server/6.0
- version/redhat enterprise linux server/7.0
- canonical/redhat enterprise linux virtualization
- version/redhat enterprise linux virtualization/4.0
- canonical/redhat virtualization
- version/redhat virtualization/4.0
- canonical/redhat virtualization host
- version/redhat virtualization host/4.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0