lustre 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
過去の問題は主に vendor risk memory corruption and バッファオーバーフロー などに関し、一部は vendor impact memory corruption を招き、vendor surface software deployment and vendor surface production workloads 関連の場面に影響します。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2019-20432 | In the Lustre file system before 2.12.3, the mdt module has an out-of-bounds access and panic due to the lack of validation for specific fields of packets sent by a client. mdt_file_secctx_unpack does not validate the value of name_size derived from req_capsule_get_size. | [email protected] | 7.5 | 1.81% | 2020-01-27 | 2026-06-16 |
| CVE-2019-20431 | In the Lustre file system before 2.12.3, the ptlrpc module has an osd_map_remote_to_local out-of-bounds access and panic due to the lack of validation for specific fields of packets sent by a client. osd_bufs_get in the osd_ldiskfs module does not validate a certain length value. | [email protected] | 7.5 | 1.92% | 2020-01-27 | 2026-06-16 |
| CVE-2019-20430 | In the Lustre file system before 2.12.3, the mdt module has an LBUG panic (via a large MDT Body eadatasize field) due to the lack of validation for specific fields of packets sent by a client. | [email protected] | 7.5 | 2.21% | 2020-01-27 | 2026-06-16 |
| CVE-2019-20429 | In the Lustre file system before 2.12.3, the ptlrpc module has an out-of-bounds read and panic (via a modified lm_bufcount field) due to the lack of validation for specific fields of packets sent by a client. This is caused by interaction between sptlrpc_svc_unwrap_request and lustre_msg_hdr_size_v2. | [email protected] | 7.5 | 1.90% | 2020-01-27 | 2026-06-16 |
| CVE-2019-20428 | In the Lustre file system before 2.12.3, the ptlrpc module has an out-of-bounds read and panic due to the lack of validation for specific fields of packets sent by a client. The ldl_request_cancel function mishandles a large lock_count parameter. | [email protected] | 7.5 | 1.82% | 2020-01-27 | 2026-06-16 |
| CVE-2019-20427 | In the Lustre file system before 2.12.3, the ptlrpc module has a buffer overflow and panic, and possibly remote code execution, due to the lack of validation for specific fields of packets sent by a client. Interaction between req_capsule_get_size and tgt_brw_write leads to a tgt_shortio2pages integer signedness error. | [email protected] | 9.8 | 4.90% | 2020-01-27 | 2026-06-16 |
| CVE-2019-20426 | In the Lustre file system before 2.12.3, the ptlrpc module has an out-of-bounds access and panic due to the lack of validation for specific fields of packets sent by a client. In the function ldlm_cancel_hpreq_check, there is no lock_count bounds check. | [email protected] | 7.5 | 1.92% | 2020-01-27 | 2026-06-16 |
| CVE-2019-20425 | In the Lustre file system before 2.12.3, the ptlrpc module has an out-of-bounds access and panic due to the lack of validation for specific fields of packets sent by a client. In the function lustre_msg_string, there is no validation of a certain length value derived from lustre_msg_buflen_v2. | [email protected] | 7.5 | 1.90% | 2020-01-27 | 2026-06-16 |
| CVE-2019-20424 | In the Lustre file system before 2.12.3, mdt_object_remote in the mdt module has a NULL pointer dereference and panic due to the lack of validation for specific fields of packets sent by a client. | [email protected] | 7.5 | 2.95% | 2020-01-27 | 2026-06-16 |
| CVE-2019-20423 | In the Lustre file system before 2.12.3, the ptlrpc module has a buffer overflow and panic due to the lack of validation for specific fields of packets sent by a client. The function target_handle_connect() mishandles a certain size value when a client connects to a server, because of an integer signedness error. | [email protected] | 7.5 | 2.06% | 2020-01-27 | 2026-06-16 |
| CVE-2008-4970 | runiozone in lustre 1.6.5 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/iozone.log temporary file. | [email protected] | 6.9 | 0.39% | 2008-11-06 | 2026-06-16 |