CVE-2018-10911
04.09.2018, 14:29
A flaw was found in the way dic_unserialize function of glusterfs does not handle negative key length values. An attacker could use this flaw to read memory from other locations into the stored dict value.Enginsight
| Vendor | Product | Version |
|---|---|---|
| gluster | glusterfs | 3.12.0 ≤ 𝑥 < 3.12.14 |
| gluster | glusterfs | 4.1.0 ≤ 𝑥 < 4.1.8 |
| redhat | virtualization_host | 4.0 |
| redhat | enterprise_linux_desktop | 6.0 |
| redhat | enterprise_linux_desktop | 7.0 |
| redhat | enterprise_linux_server | 6.0 |
| redhat | enterprise_linux_server | 7.0 |
| redhat | enterprise_linux_workstation | 6.0 |
| redhat | enterprise_linux_workstation | 7.0 |
| debian | debian_linux | 8.0 |
| debian | debian_linux | 9.0 |
| opensuse | leap | 15.1 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Ubuntu Product | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| glusterfs |
|
Common Weakness Enumeration
- CWE-190 - Integer Overflow or WraparoundThe software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.
- CWE-502 - Deserialization of Untrusted DataThe application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
References