Skip to main content

Gluster Storage CVE-2018-1127

HIGH
Insufficient Session Expiration (CWE-613)
2018-09-11 secalert@redhat.com
8.1
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Sep 11, 2018 - 15:29 nvd
HIGH 8.1

DescriptionNVD

Tendrl API in Red Hat Gluster Storage before 3.4.0 does not immediately remove session tokens after a user logs out. Session tokens remain active for a few minutes allowing attackers to replay tokens acquired via sniffing/MITM attacks and authenticate as the target user.

AnalysisAI

Tendrl API in Red Hat Gluster Storage before 3.4.0 does not immediately remove session tokens after a user logs out. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Technical ContextAI

This vulnerability is classified under CWE-613. Tendrl API in Red Hat Gluster Storage before 3.4.0 does not immediately remove session tokens after a user logs out. Session tokens remain active for a few minutes allowing attackers to replay tokens acquired via sniffing/MITM attacks and authenticate as the target user. Affected products include: Redhat Gluster Storage. Version information: before 3.4.0.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2018-14653 HIGH
8.8 Oct 31

The Gluster file system through versions 4.1.4 and 3.12 is vulnerable to a heap-based buffer overflow in the '__server_g

CVE-2018-10928 HIGH
8.8 Sep 04

A flaw was found in RPC request using gfs3_symlink_req in glusterfs server which allows symlink destinations to point to

CVE-2018-1088 HIGH
8.1 Apr 18

A privilege escalation flaw was found in gluster 3.x snapshot scheduler. Rated high severity (CVSS 8.1), this vulnerabil

CVE-2015-1795 HIGH
7.8 Jun 27

Red Hat Gluster Storage RPM Package 3.2 allows local users to gain privileges and execute arbitrary code as root. Rated

CVE-2018-10875 HIGH
7.8 Jul 13

A flaw was found in ansible. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patc

CVE-2017-15087 HIGH
7.5 Nov 08

It was discovered that the fix for CVE-2017-12163 was not properly shipped in erratum RHSA-2017:2858 for Red Hat Gluster

CVE-2017-15086 HIGH
7.4 Nov 08

It was discovered that the fix for CVE-2017-12151 was not properly shipped in erratum RHSA-2017:2858 for Red Hat Gluster

CVE-2019-3831 MEDIUM
6.7 Mar 25

A vulnerability was discovered in vdsm, version 4.19 through 4.30.3 and 4.30.5 through 4.30.8. Rated medium severity (CV

CVE-2018-14654 MEDIUM
6.5 Oct 31

The Gluster file system through version 4.1.4 is vulnerable to abuse of the 'features/index' translator. Rated medium se

CVE-2018-14652 MEDIUM
6.5 Oct 31

The Gluster file system through versions 3.12 and 4.1.4 is vulnerable to a buffer overflow in the 'features/index' trans

CVE-2015-5242 MEDIUM
6.0 Nov 25

OpenStack Swift-on-File (aka Swiftonfile) does not properly restrict use of the pickle Python module when loading metada

CVE-2017-15085 MEDIUM
5.9 Nov 08

It was discovered that the fix for CVE-2017-12150 was not properly shipped in erratum RHSA-2017:2858 for Red Hat Gluster

Share

CVE-2018-1127 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy