The Gluster file system through version 4.1.4 is vulnerable to abuse of the "features/index" translator. A remote attacker with access to mount volumes could exploit this via the "GF_XATTROP_ENTRY_IN_KEY" xattrop to create arbitrary, empty files on the target server.