Vulnerabilities (CVE)

Filtered by vendor Redhat Subscribe
Filtered by product Gluster Storage
Total 26 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2014-0160 13 Broadcom, Canonical, Debian and 10 more 35 Symantec Messaging Gateway, Ubuntu Linux, Debian Linux and 32 more 2024-07-02 5.0 MEDIUM 7.5 HIGH
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
CVE-2016-2124 5 Canonical, Debian, Fedoraproject and 2 more 24 Ubuntu Linux, Debian Linux, Fedora and 21 more 2024-02-28 4.3 MEDIUM 5.9 MEDIUM
A flaw was found in the way samba implemented SMB1 authentication. An attacker could use this flaw to retrieve the plaintext password sent over the wire even if Kerberos authentication was required.
CVE-2020-25717 5 Canonical, Debian, Fedoraproject and 2 more 25 Ubuntu Linux, Debian Linux, Fedora and 22 more 2024-02-28 8.5 HIGH 8.1 HIGH
A flaw was found in the way Samba maps domain users to local users. An authenticated attacker could use this flaw to cause possible privilege escalation.
CVE-2021-44142 6 Canonical, Debian, Fedoraproject and 3 more 23 Ubuntu Linux, Debian Linux, Fedora and 20 more 2024-02-28 9.0 HIGH 8.8 HIGH
The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide "...enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver." Samba versions prior to 4.13.17, 4.14.12 and 4.15.5 with vfs_fruit configured allow out-of-bounds heap read and write via specially crafted extended file attributes. A remote attacker with write access to extended file attributes can execute arbitrary code with the privileges of smbd, typically root.
CVE-2020-10763 2 Heketi Project, Redhat 4 Heketi, Enterprise Linux, Gluster Storage and 1 more 2024-02-28 2.1 LOW 5.5 MEDIUM
An information-disclosure flaw was found in the way Heketi before 10.1.0 logs sensitive information. This flaw allows an attacker with local access to the Heketi server to read potentially sensitive information such as gluster-block passwords.
CVE-2019-3831 2 Ovirt, Redhat 2 Vdsm, Gluster Storage 2024-02-28 9.0 HIGH 6.7 MEDIUM
A vulnerability was discovered in vdsm, version 4.19 through 4.30.3 and 4.30.5 through 4.30.8. The systemd_run function exposed to the vdsm system user could be abused to execute arbitrary commands as root.
CVE-2019-3880 5 Debian, Fedoraproject, Opensuse and 2 more 6 Debian Linux, Fedora, Leap and 3 more 2024-02-28 5.5 MEDIUM 5.4 MEDIUM
A flaw was found in the way samba implemented an RPC endpoint emulating the Windows registry service API. An unprivileged attacker could use this flaw to create a new registry hive file anywhere they have unix permissions which could lead to creation of a new file in the Samba share. Versions before 4.8.11, 4.9.6 and 4.10.2 are vulnerable.
CVE-2018-14652 2 Debian, Redhat 5 Debian Linux, Enterprise Linux Server, Enterprise Linux Virtualization and 2 more 2024-02-28 4.0 MEDIUM 6.5 MEDIUM
The Gluster file system through versions 3.12 and 4.1.4 is vulnerable to a buffer overflow in the 'features/index' translator via the code handling the 'GF_XATTR_CLRLK_CMD' xattr in the 'pl_getxattr' function. A remote authenticated attacker could exploit this on a mounted volume to cause a denial of service.
CVE-2017-12163 3 Debian, Redhat, Samba 7 Debian Linux, Enterprise Linux, Enterprise Linux Desktop and 4 more 2024-02-28 4.8 MEDIUM 7.1 HIGH
An information leak flaw was found in the way SMB1 protocol was implemented by Samba before 4.4.16, 4.5.x before 4.5.14, and 4.6.x before 4.6.8. A malicious client could use this flaw to dump server memory contents to a file on the samba share or to a shared printer, though the exact area of server memory cannot be controlled by the attacker.
CVE-2018-10928 4 Debian, Gluster, Opensuse and 1 more 7 Debian Linux, Glusterfs, Leap and 4 more 2024-02-28 6.5 MEDIUM 8.8 HIGH
A flaw was found in RPC request using gfs3_symlink_req in glusterfs server which allows symlink destinations to point to file paths outside of the gluster volume. An authenticated attacker could use this flaw to create arbitrary symlinks pointing anywhere on the server and execute arbitrary code on glusterfs server nodes.
CVE-2018-10875 4 Canonical, Debian, Redhat and 1 more 11 Ubuntu Linux, Debian Linux, Ansible Engine and 8 more 2024-02-28 4.6 MEDIUM 7.8 HIGH
A flaw was found in ansible. ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module path under the control of an attacker, thus allowing the attacker to execute arbitrary code.
CVE-2016-2125 2 Redhat, Samba 8 Enterprise Linux Desktop, Enterprise Linux Server, Enterprise Linux Server Aus and 5 more 2024-02-28 3.3 LOW 6.5 MEDIUM
It was found that Samba before versions 4.5.3, 4.4.8, 4.3.13 always requested forwardable tickets when using Kerberos authentication. A service to which Samba authenticated using Kerberos could subsequently use the ticket to impersonate Samba to other services or domain users.
CVE-2018-1127 1 Redhat 1 Gluster Storage 2024-02-28 6.8 MEDIUM 8.1 HIGH
Tendrl API in Red Hat Gluster Storage before 3.4.0 does not immediately remove session tokens after a user logs out. Session tokens remain active for a few minutes allowing attackers to replay tokens acquired via sniffing/MITM attacks and authenticate as the target user.
CVE-2018-14653 2 Debian, Redhat 4 Debian Linux, Enterprise Linux Server, Enterprise Linux Virtualization and 1 more 2024-02-28 6.5 MEDIUM 8.8 HIGH
The Gluster file system through versions 4.1.4 and 3.12 is vulnerable to a heap-based buffer overflow in the '__server_getspec' function via the 'gf_getspec_req' RPC message. A remote authenticated attacker could exploit this to cause a denial of service or other potential unspecified impact.
CVE-2017-7481 3 Canonical, Debian, Redhat 10 Ubuntu Linux, Debian Linux, Ansible Engine and 7 more 2024-02-28 7.5 HIGH 9.8 CRITICAL
Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as 'unsafe' and is not evaluated.
CVE-2018-1000808 3 Canonical, Pyopenssl Project, Redhat 7 Ubuntu Linux, Pyopenssl, Enterprise Linux Desktop and 4 more 2024-02-28 4.3 MEDIUM 5.9 MEDIUM
Python Cryptographic Authority pyopenssl version Before 17.5.0 contains a CWE - 401 : Failure to Release Memory Before Removing Last Reference vulnerability in PKCS #12 Store that can result in Denial of service if memory runs low or is exhausted. This attack appear to be exploitable via Depends upon calling application, however it could be as simple as initiating a TLS connection. Anything that would cause the calling application to reload certificates from a PKCS #12 store.. This vulnerability appears to have been fixed in 17.5.0.
CVE-2018-14654 2 Debian, Redhat 6 Debian Linux, Enterprise Linux Server, Enterprise Linux Virtualization and 3 more 2024-02-28 8.5 HIGH 6.5 MEDIUM
The Gluster file system through version 4.1.4 is vulnerable to abuse of the 'features/index' translator. A remote attacker with access to mount volumes could exploit this via the 'GF_XATTROP_ENTRY_IN_KEY' xattrop to create arbitrary, empty files on the target server.
CVE-2017-12150 3 Debian, Redhat, Samba 7 Debian Linux, Enterprise Linux, Enterprise Linux Desktop and 4 more 2024-02-28 5.8 MEDIUM 7.4 HIGH
It was found that samba before 4.4.16, 4.5.x before 4.5.14, and 4.6.x before 4.6.8 did not enforce "SMB signing" when certain configuration options were enabled. A remote attacker could launch a man-in-the-middle attack and retrieve information in plain-text.
CVE-2015-1777 1 Redhat 3 Enterprise Linux, Gluster Storage, Rhn-client-tools 2024-02-28 4.3 MEDIUM 5.9 MEDIUM
rhnreg_ks in Red Hat Network Client Tools (aka rhn-client-tools) on Red Hat Gluster Storage 2.1 and Enterprise Linux (RHEL) 5, 6, and 7 does not properly validate hostnames in X.509 certificates from SSL servers, which allows remote attackers to prevent system registration via a man-in-the-middle attack.
CVE-2018-1088 3 Debian, Opensuse, Redhat 6 Debian Linux, Leap, Enterprise Linux Server and 3 more 2024-02-28 6.8 MEDIUM 8.1 HIGH
A privilege escalation flaw was found in gluster 3.x snapshot scheduler. Any gluster client allowed to mount gluster volumes could also mount shared gluster storage volume and escalate privileges by scheduling malicious cronjob via symlink.