CVE-2018-14660

A flaw was found in glusterfs server through versions 4.1.4 and 3.1.2 which allowed repeated usage of GF_META_LOCK_KEY xattr. A remote, authenticated attacker could use this flaw to create multiple locks for single inode by using setxattr repetitively resulting in memory exhaustion of glusterfs server node.

Published : 2018-11-01 14:29 Updated : 2019-10-03 00:03

4.0
CVSS Score More info
Score 4.0 / 10
4.0
Vendor Product Version URI
Gluster Glusterfs 3.1.0 cpe:/a:gluster:glusterfs:3.1.0
Gluster Glusterfs 3.1.1 cpe:/a:gluster:glusterfs:3.1.1
Gluster Glusterfs 3.1.2 cpe:/a:gluster:glusterfs:3.1.2
Gluster Glusterfs 4.1.0 cpe:/a:gluster:glusterfs:4.1.0:-
Gluster Glusterfs 4.1.0 cpe:/a:gluster:glusterfs:4.1.0:alpha
Gluster Glusterfs 4.1.0 cpe:/a:gluster:glusterfs:4.1.0:rc0
Gluster Glusterfs 4.1.1 cpe:/a:gluster:glusterfs:4.1.1
Gluster Glusterfs 4.1.2 cpe:/a:gluster:glusterfs:4.1.2
Gluster Glusterfs 4.1.3 cpe:/a:gluster:glusterfs:4.1.3
Gluster Glusterfs 4.1.4 cpe:/a:gluster:glusterfs:4.1.4
Redhat Gluster Storage 3.0 cpe:/a:redhat:gluster_storage:3.0
Redhat Virtualization Host 4.0 cpe:/a:redhat:virtualization_host:4.0
Redhat Enterprise Linux Server 6.0 cpe:/o:redhat:enterprise_linux_server:6.0
Redhat Enterprise Linux Server 7.0 cpe:/o:redhat:enterprise_linux_server:7.0
Redhat Virtualization 4.0 cpe:/o:redhat:virtualization:4.0
  1. Gluster (1) Search CVE
    1. Glusterfs (8) Search CVE
      1. 3.1.0
      2. 3.1.1
      3. 3.1.2
      4. 4.1.0
      5. 4.1.1
      6. 4.1.2
      7. 4.1.3
      8. 4.1.4
  2. Redhat (4) Search CVE
    1. Gluster Storage (1) Search CVE
      1. 3.0
    2. Virtualization (1) Search CVE
      1. 4.0
    3. Enterprise Linux Server (2) Search CVE
      1. 6.0
      2. 7.0
    4. Virtualization Host (1) Search CVE
      1. 4.0

CWE

ID Name Description Links
CWE-770 Allocation of Resources Without Limits or Throttling The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on how many resources can be allocated, in violation of the intended security policy for that actor. CVE

History of changes

Date Event
2019-10-03 00:03
2019-01-30 19:18
2018-11-06 11:29
2018-11-02 10:29
2018-11-01 14:29

New CVE