{"containers": {"cna": {"affected": [{"product": "glusterfs", "vendor": "Red Hat", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-09-04T00:00:00", "descriptions": [{"lang": "en", "value": "It was discovered that fsync(2) system call in glusterfs client code leaks memory. An authenticated attacker could use this flaw to launch a denial of service attack by making gluster clients consume memory of the host machine."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-01-20T06:06:09", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10924"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://review.gluster.org/#/c/glusterfs/+/20723/"}, {"name": "GLSA-201904-06", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201904-06"}, {"name": "openSUSE-SU-2020:0079", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00035.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2018-10924", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "glusterfs", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "Red Hat"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "It was discovered that fsync(2) system call in glusterfs client code leaks memory. An authenticated attacker could use this flaw to launch a denial of service attack by making gluster clients consume memory of the host machine."}]}, "impact": {"cvss": [[{"vectorString": "5.3/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.0"}]]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-400"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10924", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10924"}, {"name": "https://review.gluster.org/#/c/glusterfs/+/20723/", "refsource": "CONFIRM", "url": "https://review.gluster.org/#/c/glusterfs/+/20723/"}, {"name": "GLSA-201904-06", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201904-06"}, {"name": "openSUSE-SU-2020:0079", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00035.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T07:54:35.541Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10924"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://review.gluster.org/#/c/glusterfs/+/20723/"}, {"name": "GLSA-201904-06", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/201904-06"}, {"name": "openSUSE-SU-2020:0079", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00035.html"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2018-10924", "datePublished": "2018-09-04T15:00:00", "dateReserved": "2018-05-09T00:00:00", "dateUpdated": "2024-08-05T07:54:35.541Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gluster:glusterfs:*:*:*:*:*:*:*:*", "matchCriteriaId": "3C42FB8A-5CE4-4116-B169-CECDCEC47FE1", "versionEndExcluding": "3.12.14", "versionStartIncluding": "3.12.11", "vulnerable": true}, {"criteria": "cpe:2.3:a:gluster:glusterfs:*:*:*:*:*:*:*:*", "matchCriteriaId": "2AB23350-9ED4-45E3-B228-36DB367A3DDE", "versionEndExcluding": "4.1.4", "versionStartIncluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "It was discovered that fsync(2) system call in glusterfs client code leaks memory. An authenticated attacker could use this flaw to launch a denial of service attack by making gluster clients consume memory of the host machine."}, {"lang": "es", "value": "Se ha descubierto que la llamada del sistema fsync(2) en el c\u00f3digo del cliente glusterfs filtra memoria. Un atacante autenticado podr\u00eda empelar este error para lanzar un ataque de denegaci\u00f3n de servicio (DoS) haciendo que los clientes gluster consuman la memoria de la m\u00e1quina host."}], "id": "CVE-2018-10924", "lastModified": "2024-11-21T03:42:18.950", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 6.8, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "secalert@redhat.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-09-04T15:29:00.273", "references": [{"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00035.html"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10924"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://review.gluster.org/#/c/glusterfs/+/20723/"}, {"source": "secalert@redhat.com", "url": "https://security.gentoo.org/glsa/201904-06"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00035.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10924"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://review.gluster.org/#/c/glusterfs/+/20723/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.gentoo.org/glsa/201904-06"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-772"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Michael Hanselmann (hansmi.ch) for reporting this issue.", "bugzilla": {"description": "glusterfs: Denial-of-service via fsync(2) in Gluster FUSE client", "id": "1611785", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1611785"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-400", "details": ["It was discovered that fsync(2) system call in glusterfs client code leaks memory. An authenticated attacker could use this flaw to launch a denial of service attack by making gluster clients consume memory of the host machine.", "It was discovered that fsync(2) system call in glusterfs client code leaks memory. An authenticated attacker could use this flaw to launch a denial of service attack by making gluster clients consume memory of the host machine."], "name": "CVE-2018-10924", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "glusterfs", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "glusterfs", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "glusterfs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "glusterfs", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/o:redhat:rhev_hypervisor:4", "fix_state": "Not affected", "package_name": "glusterfs", "product_name": "Red Hat Virtualization 4"}], "public_date": "2018-09-04T05:30:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2018-10924\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-10924"], "statement": "This issue did not affect the versions of glusterfs as shipped with Red Hat Enterprise Linux 6 and 7, and Red Hat Gluster Storage 3.", "threat_severity": "Moderate"}