CVE-2018-21071: 
NixOS vulnerability analysis and mitigation

An information disclosure vulnerability was discovered in glusterfs server (CVE-2018-10913). The vulnerability was discovered in September 2018 and affects glusterfs versions from 3.12.0 up to 3.12.14 and 4.1.0 up to 4.1.8. An attacker could issue a xattr request via glusterfs FUSE to determine the existence of any file (NVD, CVE).

The vulnerability has a CVSS v3.1 Base Score of 6.5 (MEDIUM) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-209 (Generation of Error Message Containing Sensitive Information). The issue allows remote attackers with low privileges to gain unauthorized access to file existence information through xattr requests via glusterfs FUSE (NVD).

The vulnerability allows attackers to determine the existence of any file on the system through information disclosure. This could potentially be used for reconnaissance or to identify sensitive files. The impact is primarily limited to confidentiality with no direct impact on integrity or availability of the system (NVD).

The vulnerability has been patched in glusterfs versions 3.12.14 and 4.1.8. Users are advised to upgrade to these or later versions. Various Linux distributions have also released security updates including Red Hat, Debian, and OpenSUSE (Gluster Patch, Red Hat Advisory).