Filtered by vendor Samba Subscriptions
Filtered by product Samba Subscriptions
Total 209 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2020-17049 3 Microsoft, Redhat, Samba 13 Windows Server 1903, Windows Server 1909, Windows Server 2004 and 10 more 2024-11-15 6.6 Medium
A security feature bypass vulnerability exists in the way Key Distribution Center (KDC) determines if a service ticket can be used for delegation via Kerberos Constrained Delegation (KCD). To exploit the vulnerability, a compromised service that is configured to use KCD could tamper with a service ticket that is not valid for delegation to force the KDC to accept it. The update addresses this vulnerability by changing how the KDC validates service tickets used with KCD.
CVE-2023-42670 3 Fedoraproject, Redhat, Samba 4 Fedora, Enterprise Linux, Storage and 1 more 2024-11-06 6.5 Medium
A flaw was found in Samba. It is susceptible to a vulnerability where multiple incompatible RPC listeners can be initiated, causing disruptions in the AD DC service. When Samba's RPC server experiences a high load or unresponsiveness, servers intended for non-AD DC purposes (for example, NT4-emulation "classic DCs") can erroneously start and compete for the same unix domain sockets. This issue leads to partial query responses from the AD DC, causing issues such as "The procedure number is out of range" when using tools like Active Directory Users. This flaw allows an attacker to disrupt AD DC services.
CVE-2023-42669 2 Redhat, Samba 10 Enterprise Linux, Enterprise Linux Eus, Enterprise Linux For Ibm Z Systems and 7 more 2024-11-06 6.5 Medium
A vulnerability was found in Samba's "rpcecho" development server, a non-Windows RPC server used to test Samba's DCE/RPC stack elements. This vulnerability stems from an RPC function that can be blocked indefinitely. The issue arises because the "rpcecho" service operates with only one worker in the main RPC task, allowing calls to the "rpcecho" server to be blocked for a specified time, causing service disruptions. This disruption is triggered by a "sleep()" call in the "dcesrv_echo_TestSleep()" function under specific conditions. Authenticated users or attackers can exploit this vulnerability to make calls to the "rpcecho" server, requesting it to block for a specified duration, effectively disrupting most services and leading to a complete denial of service on the AD DC. The DoS affects all other services as "rpcecho" runs in the main RPC task.
CVE-2020-14318 2 Redhat, Samba 3 Enterprise Linux, Storage, Samba 2024-10-29 4.3 Medium
A flaw was found in the way samba handled file and directory permissions. An authenticated user could use this flaw to gain access to certain file and directory information which otherwise would be unavailable to the attacker.
CVE-2022-3437 2 Fedoraproject, Samba 2 Fedora, Samba 2024-10-28 4.3 Medium
A heap-based buffer overflow vulnerability was found in Samba within the GSSAPI unwrap_des() and unwrap_des3() routines of Heimdal. The DES and Triple-DES decryption routines in the Heimdal GSSAPI library allow a length-limited write buffer overflow on malloc() allocated memory when presented with a maliciously small packet. This flaw allows a remote user to send specially crafted malicious data to the application, possibly resulting in a denial of service (DoS) attack.
CVE-2022-37967 4 Fedoraproject, Microsoft, Netapp and 1 more 12 Fedora, Windows Server 2008, Windows Server 2008 R2 and 9 more 2024-10-15 7.2 High
Windows Kerberos Elevation of Privilege Vulnerability
CVE-2022-37966 4 Fedoraproject, Microsoft, Netapp and 1 more 9 Fedora, Windows Server 2008, Windows Server 2012 and 6 more 2024-10-15 8.1 High
Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability
CVE-2023-5568 2 Redhat, Samba 3 Enterprise Linux, Storage, Samba 2024-09-18 5.9 Medium
A heap-based Buffer Overflow flaw was discovered in Samba. It could allow a remote, authenticated attacker to exploit this vulnerability to cause a denial of service.
CVE-2017-2619 3 Debian, Redhat, Samba 4 Debian Linux, Enterprise Linux, Storage and 1 more 2024-09-17 7.5 High
Samba before versions 4.6.1, 4.5.7 and 4.4.11 are vulnerable to a malicious client using a symlink race to allow access to areas of the server file system not exported under the share definition.
CVE-2018-1050 4 Canonical, Debian, Redhat and 1 more 8 Ubuntu Linux, Debian Linux, Enterprise Linux and 5 more 2024-09-16 4.3 Medium
All versions of Samba from 4.0.0 onwards are vulnerable to a denial of service attack when the RPC spoolss service is configured to be run as an external daemon. Missing input sanitization checks on some of the input parameters to spoolss RPC calls could cause the print spooler service to crash.
CVE-2013-1863 1 Samba 1 Samba 2024-09-16 N/A
Samba 4.x before 4.0.4, when configured as an Active Directory domain controller, uses world-writable permissions on non-default CIFS shares, which allows remote authenticated users to read, modify, create, or delete arbitrary files via standard filesystem operations.
CVE-2011-2411 2 Hp, Samba 3 Nonstop Server, Nonstop Server Software, Samba 2024-09-16 N/A
Unspecified vulnerability on HP NonStop Servers with software H06.x through H06.23.00 and J06.x through J06.12.00, when Samba is used, allows remote authenticated users to execute arbitrary code via unknown vectors.
CVE-2004-2687 2 Apple, Samba 2 Xcode, Samba 2024-09-16 N/A
distcc 2.x, as used in XCode 1.5 and others, when not configured to restrict access to the server port, allows remote attackers to execute arbitrary commands via compilation jobs, which are executed by the server without authorization checks.
CVE-2021-44142 6 Canonical, Debian, Fedoraproject and 3 more 28 Ubuntu Linux, Debian Linux, Fedora and 25 more 2024-09-16 8.8 High
The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide "...enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver." Samba versions prior to 4.13.17, 4.14.12 and 4.15.5 with vfs_fruit configured allow out-of-bounds heap read and write via specially crafted extended file attributes. A remote attacker with write access to extended file attributes can execute arbitrary code with the privileges of smbd, typically root.
CVE-2023-4091 3 Fedoraproject, Redhat, Samba 7 Fedora, Enterprise Linux, Enterprise Linux Eus and 4 more 2024-09-16 6.5 Medium
A vulnerability was discovered in Samba, where the flaw allows SMB clients to truncate files, even with read-only permissions when the Samba VFS module "acl_xattr" is configured with "acl_xattr:ignore system acls = yes". The SMB protocol allows opening files when the client requests read-only access but then implicitly truncates the opened file to 0 bytes if the client specifies a separate OVERWRITE create disposition request. The issue arises in configurations that bypass kernel file system permissions checks, relying solely on Samba's permissions.
CVE-2023-3961 3 Fedoraproject, Redhat, Samba 7 Fedora, Enterprise Linux, Enterprise Linux Eus and 4 more 2024-09-16 9.1 Critical
A path traversal vulnerability was identified in Samba when processing client pipe names connecting to Unix domain sockets within a private directory. Samba typically uses this mechanism to connect SMB clients to remote procedure call (RPC) services like SAMR LSA or SPOOLSS, which Samba initiates on demand. However, due to inadequate sanitization of incoming client pipe names, allowing a client to send a pipe name containing Unix directory traversal characters (../). This could result in SMB clients connecting as root to Unix domain sockets outside the private directory. If an attacker or client managed to send a pipe name resolving to an external service using an existing Unix domain socket, it could potentially lead to unauthorized access to the service and consequential adverse events, including compromise or service crashes.
CVE-2023-3347 3 Fedoraproject, Redhat, Samba 4 Fedora, Enterprise Linux, Storage and 1 more 2024-09-16 5.9 Medium
A vulnerability was found in Samba's SMB2 packet signing mechanism. The SMB2 packet signing is not enforced if an admin configured "server signing = required" or for SMB2 connections to Domain Controllers where SMB2 packet signing is mandatory. This flaw allows an attacker to perform attacks, such as a man-in-the-middle attack, by intercepting the network traffic and modifying the SMB2 messages between client and server, affecting the integrity of the data.
CVE-2023-34968 4 Debian, Fedoraproject, Redhat and 1 more 7 Debian Linux, Fedora, Enterprise Linux and 4 more 2024-09-16 5.3 Medium
A path disclosure vulnerability was found in Samba. As part of the Spotlight protocol, Samba discloses the server-side absolute path of shares, files, and directories in the results for search queries. This flaw allows a malicious client or an attacker with a targeted RPC request to view the information that is part of the disclosed path.
CVE-2023-34967 4 Debian, Fedoraproject, Redhat and 1 more 7 Debian Linux, Fedora, Enterprise Linux and 4 more 2024-09-16 5.3 Medium
A Type Confusion vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings, and the values can be any of the supported types in the mdssvc protocol. Due to a lack of type checking in callers of the dalloc_value_for_key() function, which returns the object associated with a key, a caller may trigger a crash in talloc_get_size() when talloc detects that the passed-in pointer is not a valid talloc pointer. With an RPC worker process shared among multiple client connections, a malicious client or attacker can trigger a process crash in a shared RPC mdssvc worker process, affecting all other clients this worker serves.
CVE-2023-34966 4 Debian, Fedoraproject, Redhat and 1 more 7 Debian Linux, Fedora, Enterprise Linux and 4 more 2024-09-16 7.5 High
An infinite loop vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets sent by the client, the core unmarshalling function sl_unpack_loop() did not validate a field in the network packet that contains the count of elements in an array-like structure. By passing 0 as the count value, the attacked function will run in an endless loop consuming 100% CPU. This flaw allows an attacker to issue a malformed RPC request, triggering an infinite loop, resulting in a denial of service condition.