rpm package
almalinux/samba-winbind
pkg:rpm/almalinux/samba-winbind
Vulnerabilities (19)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-4408 | Cri | 9.0 | < 4.19.4-16.el8_10 | 4.19.4-16.el8_10 | May 28, 2026 | A flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the "check password script" feature. If this script is configured with the %u substitution character, the client-controlled username is passed | |
| CVE-2026-2340 | Med | 6.5 | < 4.23.5-109.el10_2 | 4.23.5-109.el10_2 | May 27, 2026 | A flaw was found in Samba’s vfs_worm module. The module is intended to provide write-once, read-many (WORM) protections by preventing modification of files after a configurable grace period. Due to insufficient validation during rename operations, an authenticated user with write | |
| CVE-2026-1933 | Hig | 7.1 | < 4.23.5-109.el10_2 | 4.23.5-109.el10_2 | May 27, 2026 | A flaw was found in Samba’s handling of NTFS-style reparse points on shares configured with read only = yes. Due to missing SMB-layer access checks, authenticated users with underlying filesystem write permissions may create or delete reparse point metadata through SMB operations | |
| CVE-2026-3012 | Hig | 8.0 | < 4.19.4-16.el8_10 | 4.19.4-16.el8_10 | May 27, 2026 | A flaw was found in Samba’s certificate auto-enrollment Group Policy handling. When certificate auto-enrollment is enabled, Samba may retrieve a CA certificate over an unencrypted HTTP connection and install it into the local trust store without proper verification. An attacker w | |
| CVE-2026-4480 | Cri | 9.0 | < 4.19.4-16.el8_10 | 4.19.4-16.el8_10 | May 26, 2026 | A flaw was found in the Samba printing subsystem. Samba passes the client-controlled job description string to the command configured with the "print command" setting via the "%J" substitution character without escaping shell meta characters. A remote attacker could exploit this | |
| CVE-2026-40170 | Hig | 7.5 | < 4.23.5-109.el10_2 | 4.23.5-109.el10_2 | Apr 16, 2026 | ngtcp2 is a C implementation of the IETF QUIC protocol. In versions prior to 1.22.1, ngtcp2_qlog_parameters_set_transport_params() serializes peer transport parameters into a fixed 1024-byte stack buffer without bounds checking. When qlog is enabled, a remote peer can send suffic | |
| CVE-2023-42669 | — | < 4.18.6-101.el9_3.alma.1 | 4.18.6-101.el9_3.alma.1 | Nov 6, 2023 | A vulnerability was found in Samba's "rpcecho" development server, a non-Windows RPC server used to test Samba's DCE/RPC stack elements. This vulnerability stems from an RPC function that can be blocked indefinitely. The issue arises because the "rpcecho" service operates with on | ||
| CVE-2023-3961 | — | < 4.18.6-101.el9_3.alma.1 | 4.18.6-101.el9_3.alma.1 | Nov 3, 2023 | A path traversal vulnerability was identified in Samba when processing client pipe names connecting to Unix domain sockets within a private directory. Samba typically uses this mechanism to connect SMB clients to remote procedure call (RPC) services like SAMR LSA or SPOOLSS, whic | ||
| CVE-2023-4091 | — | < 4.18.6-101.el9_3.alma.1 | 4.18.6-101.el9_3.alma.1 | Nov 3, 2023 | A vulnerability was discovered in Samba, where the flaw allows SMB clients to truncate files, even with read-only permissions when the Samba VFS module "acl_xattr" is configured with "acl_xattr:ignore system acls = yes". The SMB protocol allows opening files when the client reque | ||
| CVE-2023-34968 | — | < 4.18.6-100.el9 | 4.18.6-100.el9 | Jul 20, 2023 | A path disclosure vulnerability was found in Samba. As part of the Spotlight protocol, Samba discloses the server-side absolute path of shares, files, and directories in the results for search queries. This flaw allows a malicious client or an attacker with a targeted RPC request | ||
| CVE-2023-34967 | — | < 4.18.6-100.el9 | 4.18.6-100.el9 | Jul 20, 2023 | A Type Confusion vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings, and the values can be any of the supported types in th | ||
| CVE-2023-34966 | — | < 4.18.6-100.el9 | 4.18.6-100.el9 | Jul 20, 2023 | An infinite loop vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets sent by the client, the core unmarshalling function sl_unpack_loop() did not validate a field in the network packet that contains the count of elements | ||
| CVE-2023-3347 | — | < 4.17.5-103.el9_2.alma | 4.17.5-103.el9_2.alma | Jul 20, 2023 | A vulnerability was found in Samba's SMB2 packet signing mechanism. The SMB2 packet signing is not enforced if an admin configured "server signing = required" or for SMB2 connections to Domain Controllers where SMB2 packet signing is mandatory. This flaw allows an attacker to per | ||
| CVE-2022-2127 | — | < 4.18.6-100.el9 | 4.18.6-100.el9 | Jul 20, 2023 | An out-of-bounds read vulnerability was found in Samba due to insufficient length checks in winbindd_pam_auth_crap.c. When performing NTLM authentication, the client replies to cryptographic challenges back to the server. These replies have variable lengths, and Winbind fails to | ||
| CVE-2022-38023 | — | < 4.16.4-4.el8_7 | 4.16.4-4.el8_7 | Nov 9, 2022 | Netlogon RPC Elevation of Privilege Vulnerability | ||
| CVE-2022-1615 | — | < 4.17.5-102.el9 | 4.17.5-102.el9 | Sep 1, 2022 | In Samba, GnuTLS gnutls_rnd() can fail and give predictable random values. | ||
| CVE-2022-32742 | — | < 4.15.5-10.el8_6 | 4.15.5-10.el8_6 | Aug 25, 2022 | A flaw was found in Samba. Some SMB1 write requests were not correctly range-checked to ensure the client had sent enough data to fulfill the write, allowing server memory contents to be written into the file (or printer) instead of client-supplied data. The client cannot control | ||
| CVE-2021-20316 | — | < 4.15.5-5.el8 | 4.15.5-5.el8 | Aug 23, 2022 | A flaw was found in the way Samba handled file/directory metadata. This flaw allows an authenticated attacker with permissions to read or modify share metadata, to perform this operation outside of the share. | ||
| CVE-2021-44141 | — | < 4.15.5-5.el8 | 4.15.5-5.el8 | Feb 21, 2022 | All versions of Samba prior to 4.15.5 are vulnerable to a malicious client using a server symlink to determine if a file or directory exists in an area of the server file system not exported under the share definition. SMB1 with unix extensions has to be enabled in order for this |
- affected < 4.19.4-16.el8_10fixed 4.19.4-16.el8_10
A flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the "check password script" feature. If this script is configured with the %u substitution character, the client-controlled username is passed
- affected < 4.23.5-109.el10_2fixed 4.23.5-109.el10_2
A flaw was found in Samba’s vfs_worm module. The module is intended to provide write-once, read-many (WORM) protections by preventing modification of files after a configurable grace period. Due to insufficient validation during rename operations, an authenticated user with write
- affected < 4.23.5-109.el10_2fixed 4.23.5-109.el10_2
A flaw was found in Samba’s handling of NTFS-style reparse points on shares configured with read only = yes. Due to missing SMB-layer access checks, authenticated users with underlying filesystem write permissions may create or delete reparse point metadata through SMB operations
- affected < 4.19.4-16.el8_10fixed 4.19.4-16.el8_10
A flaw was found in Samba’s certificate auto-enrollment Group Policy handling. When certificate auto-enrollment is enabled, Samba may retrieve a CA certificate over an unencrypted HTTP connection and install it into the local trust store without proper verification. An attacker w
- affected < 4.19.4-16.el8_10fixed 4.19.4-16.el8_10
A flaw was found in the Samba printing subsystem. Samba passes the client-controlled job description string to the command configured with the "print command" setting via the "%J" substitution character without escaping shell meta characters. A remote attacker could exploit this
- affected < 4.23.5-109.el10_2fixed 4.23.5-109.el10_2
ngtcp2 is a C implementation of the IETF QUIC protocol. In versions prior to 1.22.1, ngtcp2_qlog_parameters_set_transport_params() serializes peer transport parameters into a fixed 1024-byte stack buffer without bounds checking. When qlog is enabled, a remote peer can send suffic
- CVE-2023-42669Nov 6, 2023affected < 4.18.6-101.el9_3.alma.1fixed 4.18.6-101.el9_3.alma.1
A vulnerability was found in Samba's "rpcecho" development server, a non-Windows RPC server used to test Samba's DCE/RPC stack elements. This vulnerability stems from an RPC function that can be blocked indefinitely. The issue arises because the "rpcecho" service operates with on
- CVE-2023-3961Nov 3, 2023affected < 4.18.6-101.el9_3.alma.1fixed 4.18.6-101.el9_3.alma.1
A path traversal vulnerability was identified in Samba when processing client pipe names connecting to Unix domain sockets within a private directory. Samba typically uses this mechanism to connect SMB clients to remote procedure call (RPC) services like SAMR LSA or SPOOLSS, whic
- CVE-2023-4091Nov 3, 2023affected < 4.18.6-101.el9_3.alma.1fixed 4.18.6-101.el9_3.alma.1
A vulnerability was discovered in Samba, where the flaw allows SMB clients to truncate files, even with read-only permissions when the Samba VFS module "acl_xattr" is configured with "acl_xattr:ignore system acls = yes". The SMB protocol allows opening files when the client reque
- CVE-2023-34968Jul 20, 2023affected < 4.18.6-100.el9fixed 4.18.6-100.el9
A path disclosure vulnerability was found in Samba. As part of the Spotlight protocol, Samba discloses the server-side absolute path of shares, files, and directories in the results for search queries. This flaw allows a malicious client or an attacker with a targeted RPC request
- CVE-2023-34967Jul 20, 2023affected < 4.18.6-100.el9fixed 4.18.6-100.el9
A Type Confusion vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings, and the values can be any of the supported types in th
- CVE-2023-34966Jul 20, 2023affected < 4.18.6-100.el9fixed 4.18.6-100.el9
An infinite loop vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets sent by the client, the core unmarshalling function sl_unpack_loop() did not validate a field in the network packet that contains the count of elements
- CVE-2023-3347Jul 20, 2023affected < 4.17.5-103.el9_2.almafixed 4.17.5-103.el9_2.alma
A vulnerability was found in Samba's SMB2 packet signing mechanism. The SMB2 packet signing is not enforced if an admin configured "server signing = required" or for SMB2 connections to Domain Controllers where SMB2 packet signing is mandatory. This flaw allows an attacker to per
- CVE-2022-2127Jul 20, 2023affected < 4.18.6-100.el9fixed 4.18.6-100.el9
An out-of-bounds read vulnerability was found in Samba due to insufficient length checks in winbindd_pam_auth_crap.c. When performing NTLM authentication, the client replies to cryptographic challenges back to the server. These replies have variable lengths, and Winbind fails to
- CVE-2022-38023Nov 9, 2022affected < 4.16.4-4.el8_7fixed 4.16.4-4.el8_7
Netlogon RPC Elevation of Privilege Vulnerability
- CVE-2022-1615Sep 1, 2022affected < 4.17.5-102.el9fixed 4.17.5-102.el9
In Samba, GnuTLS gnutls_rnd() can fail and give predictable random values.
- CVE-2022-32742Aug 25, 2022affected < 4.15.5-10.el8_6fixed 4.15.5-10.el8_6
A flaw was found in Samba. Some SMB1 write requests were not correctly range-checked to ensure the client had sent enough data to fulfill the write, allowing server memory contents to be written into the file (or printer) instead of client-supplied data. The client cannot control
- CVE-2021-20316Aug 23, 2022affected < 4.15.5-5.el8fixed 4.15.5-5.el8
A flaw was found in the way Samba handled file/directory metadata. This flaw allows an authenticated attacker with permissions to read or modify share metadata, to perform this operation outside of the share.
- CVE-2021-44141Feb 21, 2022affected < 4.15.5-5.el8fixed 4.15.5-5.el8
All versions of Samba prior to 4.15.5 are vulnerable to a malicious client using a server symlink to determine if a file or directory exists in an area of the server file system not exported under the share definition. SMB1 with unix extensions has to be enabled in order for this