{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-0614", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "dateUpdated": "2024-08-02T05:17:50.125Z", "dateReserved": "2023-02-01T00:00:00", "datePublished": "2023-04-03T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2023-09-17T08:06:14.183896"}, "descriptions": [{"lang": "en", "value": "The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919 Confidential attribute disclosure vi LDAP filters was insufficient and an attacker may be able to obtain confidential BitLocker recovery keys from a Samba AD DC."}], "affected": [{"vendor": "n/a", "product": "Samba", "versions": [{"version": "samba 4.18.1, samba 4.17.7, samba 4.16.10", "status": "affected"}]}], "references": [{"url": "https://www.samba.org/samba/security/CVE-2023-0614.html"}, {"url": "https://security.netapp.com/advisory/ntap-20230406-0007/"}, {"name": "FEDORA-2023-1c172e3264", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YXBPYIA4VWNOD437NAHZ3NXKAETLFB5S/"}, {"name": "GLSA-202309-06", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202309-06"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-200", "cweId": "CWE-200"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T05:17:50.125Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.samba.org/samba/security/CVE-2023-0614.html", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20230406-0007/", "tags": ["x_transferred"]}, {"name": "FEDORA-2023-1c172e3264", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YXBPYIA4VWNOD437NAHZ3NXKAETLFB5S/"}, {"name": "GLSA-202309-06", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202309-06"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*", "matchCriteriaId": "4199E7A4-284A-45D7-84C7-AF0141FD94EE", "versionEndExcluding": "4.16.10", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*", "matchCriteriaId": "2F914D5D-6211-4CF3-87AB-71284AD225A3", "versionEndExcluding": "4.17.7", "versionStartIncluding": "4.17.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:samba:samba:4.18.0:-:*:*:*:*:*:*", "matchCriteriaId": "D9A6E955-CE26-405F-9468-4557A256CA8A", "vulnerable": true}, {"criteria": "cpe:2.3:a:samba:samba:4.18.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "E9604B46-FDA2-4CA1-971F-315AFD250033", "vulnerable": true}, {"criteria": "cpe:2.3:a:samba:samba:4.18.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "1C209E4C-098B-4D49-A21B-AC8154FE3D85", "vulnerable": true}, {"criteria": "cpe:2.3:a:samba:samba:4.18.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "2849132A-18B1-4A49-8B2E-8B6DCFCC0501", "vulnerable": true}, {"criteria": "cpe:2.3:a:samba:samba:4.18.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "F657608C-18FB-49FA-A73E-F9BF5CD95B17", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919 Confidential attribute disclosure vi LDAP filters was insufficient and an attacker may be able to obtain confidential BitLocker recovery keys from a Samba AD DC."}, {"lang": "es", "value": "La correcci\u00f3n en 4.6.16, 4.7.9, 4.8.4 y 4.9.7 para CVE-2018-10919 Confidential Attribute Disclosure meidante filtros LDAP era insuficiente y un atacante podr\u00eda ser capaz de obtener claves confidenciales de recuperaci\u00f3n de BitLocker desde un Samba AD DC."}], "id": "CVE-2023-0614", "lastModified": "2023-11-07T04:01:00.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-04-03T23:15:06.957", "references": [{"source": "secalert@redhat.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YXBPYIA4VWNOD437NAHZ3NXKAETLFB5S/"}, {"source": "secalert@redhat.com", "url": "https://security.gentoo.org/glsa/202309-06"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20230406-0007/"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://www.samba.org/samba/security/CVE-2023-0614.html"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-312"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"bugzilla": {"description": "samba: Access controlled AD LDAP attributes can be discovered", "id": "2182776", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2182776"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-200", "details": ["The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919 Confidential attribute disclosure vi LDAP filters was insufficient and an attacker may be able to obtain confidential BitLocker recovery keys from a Samba AD DC.", "A vulnerability was found in Samba. Confidential attribute disclosure via LDAP filters is insufficient, which may allow an attacker to obtain confidential BitLocker recovery keys from a Samba AD DC."], "name": "CVE-2023-0614", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "samba", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "samba", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "samba", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "samba", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "samba", "product_name": "Red Hat Storage 3"}], "public_date": "2023-03-29T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-0614\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-0614"], "statement": "The samba package as shipped with Red Hat Enterprise Linux 6, 7, 8, and 9, and Red Hat Gluster is not affected by this issue, as Red Hat doesn't provide the AD domain controller capability with it.", "threat_severity": "Moderate", "upstream_fix": "samba 4.18.1, samba 4.17.7, samba 4.16.10"}