It was found that glusterfs server does not properly sanitize file paths in the "trusted.io-stats-dump" extended attribute which is used by the "debug/io-stats" translator. Attacker can use this flaw to create files and execute arbitrary code. To exploit this attacker would require sufficient access to modify the extended attributes of files on a gluster volume.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
gluster glusterfs |
||
redhat virtualization host 4.0 |
||
redhat enterprise linux server 7.0 |
||
redhat enterprise linux server 6.0 |
||
debian debian linux 8.0 |
||
debian debian linux 9.0 |
||
opensuse leap 15.1 |