glusterfs is vulnerable to privilege escalation on gluster server nodes. An authenticated gluster client via TLS could use gluster cli with –remote-host command to add it self to trusted storage pool and perform privileged gluster operations like adding other machines to trusted storage pool, start, stop, and delete volumes.
The product requires authentication, but the product has an alternate path or channel that does not require authentication.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Glusterfs | Gluster | * | 4.1.8 (excluding) |
| Native Client for RHEL 6 for Red Hat Storage | RedHat | glusterfs-0:3.8.4-54.11.el6 | * |
| Native Client for RHEL 7 for Red Hat Storage | RedHat | glusterfs-0:3.8.4-54.10.el7 | * |
| Red Hat Gluster Storage 3.3 for RHEL 6 | RedHat | glusterfs-0:3.8.4-54.11.el6rhs | * |
| Red Hat Gluster Storage 3.3 for RHEL 7 | RedHat | glusterfs-0:3.8.4-54.10.el7rhgs | * |
| Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 | RedHat | glusterfs-0:3.8.4-54.10.el7 | * |
| Glusterfs | Ubuntu | artful | * |
| Glusterfs | Ubuntu | bionic | * |
| Glusterfs | Ubuntu | cosmic | * |
| Glusterfs | Ubuntu | esm-apps/bionic | * |
| Glusterfs | Ubuntu | esm-apps/xenial | * |
| Glusterfs | Ubuntu | xenial | * |