CVE-2018-1088 — HIGH (8.1) — White Hats Nepal

Q: How severe is CVE-2018-1088?

CVE-2018-1088 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-1088?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Gluster Storage, Redhat Virtualization, Redhat Virtualization Host, Redhat Enterprise Linux Server, Opensuse Leap.

Vulnerability Description

A privilege escalation flaw was found in gluster 3.x snapshot scheduler. Any gluster client allowed to mount gluster volumes could also mount shared gluster storage volume and escalate privileges by scheduling malicious cronjob via symlink.

CVSS Score

8.1

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Redhat	Gluster Storage	>= 3.0, <= 3.13.2
Redhat	Virtualization	4.0
Redhat	Virtualization Host	4.0
Redhat	Enterprise Linux Server	6.0
Opensuse	Leap	15.1
Debian	Debian Linux	9.0

Related Weaknesses (CWE)

CWE-266

References

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00035.htmlMailing ListThird Party Advisory
https://access.redhat.com/errata/RHSA-2018:1136Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:1137Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:1275Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:1524Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1558721Issue TrackingPatchVendor Advisory
https://lists.debian.org/debian-lts-announce/2021/11/msg00000.htmlMailing ListThird Party Advisory
https://security.gentoo.org/glsa/201904-06Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00035.htmlMailing ListThird Party Advisory
https://access.redhat.com/errata/RHSA-2018:1136Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:1137Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:1275Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:1524Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1558721Issue TrackingPatchVendor Advisory
https://lists.debian.org/debian-lts-announce/2021/11/msg00000.htmlMailing ListThird Party Advisory

FAQ

What is CVE-2018-1088?

CVE-2018-1088 is a vulnerability with a CVSS score of 8.1 (HIGH). A privilege escalation flaw was found in gluster 3.x snapshot scheduler. Any gluster client allowed to mount gluster volumes could also mount shared gluster storage volume and escalate privileges by s...

How severe is CVE-2018-1088?

CVE-2018-1088 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-1088?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Gluster Storage, Redhat Virtualization, Redhat Virtualization Host, Redhat Enterprise Linux Server, Opensuse Leap.