The Gluster file system through version 4.1.4 is vulnerable to abuse of the 'features/index' translator. A remote attacker with access to mount volumes could exploit this via the 'GFXATTROPENTRYINKEY' xattrop to create arbitrary, empty files on the target server.
{ "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro", "ubuntu_priority": "medium", "binaries": [ { "binary_version": "3.13.2-1ubuntu1+esm1", "binary_name": "glusterfs-client" }, { "binary_version": "3.13.2-1ubuntu1+esm1", "binary_name": "glusterfs-client-dbgsym" }, { "binary_version": "3.13.2-1ubuntu1+esm1", "binary_name": "glusterfs-common" }, { "binary_version": "3.13.2-1ubuntu1+esm1", "binary_name": "glusterfs-common-dbgsym" }, { "binary_version": "3.13.2-1ubuntu1+esm1", "binary_name": "glusterfs-server" }, { "binary_version": "3.13.2-1ubuntu1+esm1", "binary_name": "glusterfs-server-dbgsym" } ] }