U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): cpe:2.3:a:samba:samba:4.0.7:*:*:*:*:*:*:*
There are 95 matching records.
Displaying matches 41 through 60.
Vuln ID Summary CVSS Severity
CVE-2019-14861

All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the (poorly named) dnsserver RPC pipe provides administrative facilities to modify DNS records and zones. Samba, when acting as an AD DC, stores DNS records in LDAP. In AD, the default permissions on the DNS partition allow creation of new records by authenticated users. This is used for example to allow machines to self-register in DNS. If a DNS record was created that case-insensitively matched the name of the zone, the ldb_qsort() and dns_name_compare() routines could be confused into reading memory prior to the list of DNS entries when responding to DnssrvEnumRecords() or DnssrvEnumRecords2() and so following invalid memory as a pointer.

Published: December 10, 2019; 6:15:10 PM -0500
V3.1: 5.3 MEDIUM
V2.0: 3.5 LOW
CVE-2019-14847

A flaw was found in samba 4.0.0 before samba 4.9.15 and samba 4.10.x before 4.10.10. An attacker can crash AD DC LDAP server via dirsync resulting in denial of service. Privilege escalation is not possible with this issue.

Published: November 06, 2019; 5:15:10 AM -0500
V3.1: 4.9 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2019-10218

A flaw was found in the samba client, all samba versions before samba 4.11.2, 4.10.10 and 4.9.15, where a malicious server can supply a pathname to the client with separators. This could allow the client to access files and folders outside of the SMB network pathnames. An attacker could use this vulnerability to create files outside of the current working directory using the privileges of the client user.

Published: November 06, 2019; 5:15:10 AM -0500
V3.1: 6.5 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2019-3880

A flaw was found in the way samba implemented an RPC endpoint emulating the Windows registry service API. An unprivileged attacker could use this flaw to create a new registry hive file anywhere they have unix permissions which could lead to creation of a new file in the Samba share. Versions before 4.8.11, 4.9.6 and 4.10.2 are vulnerable.

Published: April 09, 2019; 12:29:01 PM -0400
V3.1: 5.4 MEDIUM
V2.0: 5.5 MEDIUM
CVE-2019-3824

A flaw was found in the way an LDAP search expression could crash the shared LDAP server process of a samba AD DC in samba before version 4.10. An authenticated user, having read permissions on the LDAP server, could use this flaw to cause denial of service.

Published: March 06, 2019; 10:29:00 AM -0500
V3.0: 6.5 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2018-16851

Samba from version 4.0.0 and before versions 4.7.12, 4.8.7, 4.9.3 is vulnerable to a denial of service. During the processing of an LDAP search before Samba's AD DC returns the LDAP entries to the client, the entries are cached in a single memory object with a maximum size of 256MB. When this size is reached, the Samba process providing the LDAP service will follow the NULL pointer, terminating the process. There is no further vulnerability associated with this issue, merely a denial of service.

Published: November 28, 2018; 9:29:00 AM -0500
V3.1: 6.5 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2018-14629

A denial of service vulnerability was discovered in Samba's LDAP server before versions 4.7.12, 4.8.7, and 4.9.3. A CNAME loop could lead to infinite recursion in the server. An unprivileged local attacker could create such an entry, leading to denial of service.

Published: November 28, 2018; 9:29:00 AM -0500
V3.0: 6.5 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2016-2123

A flaw was found in samba versions 4.0.0 to 4.5.2. The Samba routine ndr_pull_dnsp_name contains an integer wrap problem, leading to an attacker-controlled memory overwrite. ndr_pull_dnsp_name parses data from the Samba Active Directory ldb database. Any user who can write to the dnsRecord attribute over LDAP can trigger this memory corruption. By default, all authenticated LDAP users can write to the dnsRecord attribute on new DNS objects. This makes the defect a remote privilege escalation.

Published: November 01, 2018; 9:29:00 AM -0400
V3.1: 8.8 HIGH
V2.0: 6.5 MEDIUM
CVE-2016-2125

It was found that Samba before versions 4.5.3, 4.4.8, 4.3.13 always requested forwardable tickets when using Kerberos authentication. A service to which Samba authenticated using Kerberos could subsequently use the ticket to impersonate Samba to other services or domain users.

Published: October 31, 2018; 4:29:00 PM -0400
V3.1: 6.5 MEDIUM
V2.0: 3.3 LOW
CVE-2018-10919

The Samba Active Directory LDAP server was vulnerable to an information disclosure flaw because of missing access control checks. An authenticated attacker could use this flaw to extract confidential attribute values using LDAP search expressions. Samba versions before 4.6.16, 4.7.9 and 4.8.4 are vulnerable.

Published: August 22, 2018; 1:29:00 PM -0400
V3.0: 6.5 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2018-10858

A heap-buffer overflow was found in the way samba clients processed extra long filename in a directory listing. A malicious samba server could use this flaw to cause arbitrary code execution on a samba client. Samba versions before 4.6.16, 4.7.9 and 4.8.4 are vulnerable.

Published: August 22, 2018; 1:29:00 PM -0400
V3.0: 8.8 HIGH
V2.0: 6.5 MEDIUM
CVE-2017-12151

A flaw was found in the way samba client before samba 4.4.16, samba 4.5.14 and samba 4.6.8 used encryption with the max protocol set as SMB3. The connection could lose the requirement for signing and encrypting to any DFS redirects, allowing an attacker to read or alter the contents of the connection via a man-in-the-middle attack.

Published: July 27, 2018; 8:29:00 AM -0400
V3.0: 7.4 HIGH
V2.0: 5.8 MEDIUM
CVE-2017-12150

It was found that samba before 4.4.16, 4.5.x before 4.5.14, and 4.6.x before 4.6.8 did not enforce "SMB signing" when certain configuration options were enabled. A remote attacker could launch a man-in-the-middle attack and retrieve information in plain-text.

Published: July 26, 2018; 2:29:00 PM -0400
V3.1: 7.4 HIGH
V2.0: 5.8 MEDIUM
CVE-2017-12163

An information leak flaw was found in the way SMB1 protocol was implemented by Samba before 4.4.16, 4.5.x before 4.5.14, and 4.6.x before 4.6.8. A malicious client could use this flaw to dump server memory contents to a file on the samba share or to a shared printer, though the exact area of server memory cannot be controlled by the attacker.

Published: July 26, 2018; 12:29:00 PM -0400
V3.0: 7.1 HIGH
V2.0: 4.8 MEDIUM
CVE-2018-1057

On a Samba 4 AD DC the LDAP server in all versions of Samba from 4.0.0 onwards incorrectly validates permissions to modify passwords over LDAP allowing authenticated users to change any other users' passwords, including administrative users and privileged service accounts (eg Domain Controllers).

Published: March 13, 2018; 12:29:00 PM -0400
V3.1: 8.8 HIGH
V2.0: 6.5 MEDIUM
CVE-2018-1050

All versions of Samba from 4.0.0 onwards are vulnerable to a denial of service attack when the RPC spoolss service is configured to be run as an external daemon. Missing input sanitization checks on some of the input parameters to spoolss RPC calls could cause the print spooler service to crash.

Published: March 13, 2018; 12:29:00 PM -0400
V3.1: 4.3 MEDIUM
V2.0: 3.3 LOW
CVE-2017-2619

Samba before versions 4.6.1, 4.5.7 and 4.4.11 are vulnerable to a malicious client using a symlink race to allow access to areas of the server file system not exported under the share definition.

Published: March 12, 2018; 11:29:00 AM -0400
V3.1: 7.5 HIGH
V2.0: 6.0 MEDIUM
CVE-2017-15275

Samba before 4.7.3 might allow remote attackers to obtain sensitive information by leveraging failure of the server to clear allocated heap memory.

Published: November 27, 2017; 5:29:00 PM -0500
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2017-14746

Use-after-free vulnerability in Samba 4.x before 4.7.3 allows remote attackers to execute arbitrary code via a crafted SMB1 request.

Published: November 27, 2017; 5:29:00 PM -0500
V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2017-11103

Heimdal before 7.4 allows remote attackers to impersonate services with Orpheus' Lyre attacks because it obtains service-principal names in a way that violates the Kerberos 5 protocol specification. In _krb5_extract_ticket() the KDC-REP service name must be obtained from the encrypted version stored in 'enc_part' instead of the unencrypted version stored in 'ticket'. Use of the unencrypted version provides an opportunity for successful server impersonation and other attacks. NOTE: this CVE is only for Heimdal and other products that embed Heimdal code; it does not apply to other instances in which this part of the Kerberos 5 protocol specification is violated.

Published: July 13, 2017; 9:29:00 AM -0400
V3.1: 8.1 HIGH
V2.0: 6.8 MEDIUM