| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complex
ity
|
Authen
tication
|
Confiden
tiality
|
Integrity
|
Availa
bility
|
|
1 |
CVE-2012-2111 |
264 |
|
|
2012-04-30 |
2012-05-01 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
The (1) CreateAccount, (2) OpenAccount, (3) AddAccountRights, and (4) RemoveAccountRights LSA RPC procedures in smbd in Samba 3.4.x before 3.4.17, 3.5.x before 3.5.15, and 3.6.x before 3.6.5 do not properly restrict modifications to the privileges database, which allows remote authenticated users to obtain the "take ownership" privilege via an LSA connection. |
|
2 |
CVE-2012-1182 |
189 |
|
Exec Code |
2012-04-10 |
2012-05-11 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
The RPC code generator in Samba 3.x before 3.4.16, 3.5.x before 3.5.14, and 3.6.x before 3.6.4 does not implement validation of an array length in a manner consistent with validation of array memory allocation, which allows remote attackers to execute arbitrary code via a crafted RPC call. |
|
3 |
CVE-2012-0870 |
119 |
|
DoS Exec Code Overflow |
2012-02-23 |
2012-05-11 |
7.9 |
None |
Local Network |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Heap-based buffer overflow in process.c in smbd in Samba 3.0, as used in the file-sharing service on the BlackBerry PlayBook tablet before 2.0.0.7971 and other products, allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a Batched (aka AndX) request that triggers infinite recursion. |
|
4 |
CVE-2012-0817 |
200 |
|
DoS +Info |
2012-01-30 |
2012-02-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Memory leak in smbd in Samba 3.6.x before 3.6.3 allows remote attackers to cause a denial of service (memory and CPU consumption) by making many connection requests. |
|
5 |
CVE-2011-2724 |
20 |
|
DoS |
2011-09-06 |
2011-10-25 |
1.2 |
None |
Local |
High |
Not required |
None |
None |
Partial |
|
The check_mtab function in client/mount.cifs.c in mount.cifs in smbfs in Samba 3.5.10 and earlier does not properly verify that the (1) device name and (2) mountpoint strings are composed of valid characters, which allows local users to cause a denial of service (mtab corruption) via a crafted string. NOTE: this vulnerability exists because of an incorrect fix for CVE-2010-0547. |
|
6 |
CVE-2011-2694 |
79 |
|
XSS |
2011-07-29 |
2011-10-03 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the chg_passwd function in web/swat.c in the Samba Web Administration Tool (SWAT) in Samba 3.x before 3.5.10 allows remote authenticated administrators to inject arbitrary web script or HTML via the username parameter to the passwd program (aka the user field to the Change Password page). |
|
7 |
CVE-2011-2522 |
352 |
1
|
CSRF |
2011-07-29 |
2011-10-03 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in the Samba Web Administration Tool (SWAT) in Samba 3.x before 3.5.10 allow remote attackers to hijack the authentication of administrators for requests that (1) shut down daemons, (2) start daemons, (3) add shares, (4) remove shares, (5) add printers, (6) remove printers, (7) add user accounts, or (8) remove user accounts, as demonstrated by certain start, stop, and restart parameters to the status program. |
|
8 |
CVE-2011-2411 |
|
|
Exec Code |
2011-10-02 |
2012-05-18 |
9.0 |
None |
Remote |
Low |
Single system |
Complete |
Complete |
Complete |
|
Unspecified vulnerability on HP NonStop Servers with software H06.x through H06.23.00 and J06.x through J06.12.00, when Samba is used, allows remote authenticated users to execute arbitrary code via unknown vectors. |
|
9 |
CVE-2011-1678 |
16 |
|
|
2011-04-09 |
2011-10-25 |
3.3 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
None |
|
smbfs in Samba 3.5.8 and earlier attempts to use (1) mount.cifs to append to the /etc/mtab file and (2) umount.cifs to append to the /etc/mtab.tmp file without first checking whether resource limits would interfere, which allows local users to trigger corruption of the /etc/mtab file via a process with a small RLIMIT_FSIZE value, a related issue to CVE-2011-1089. |
|
10 |
CVE-2011-1097 |
119 |
|
DoS Exec Code Overflow Mem. Corr. |
2011-03-30 |
2011-04-20 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
rsync 3.x before 3.0.8, when certain recursion, deletion, and ownership options are used, allows remote rsync servers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via malformed data. |
|
11 |
CVE-2011-0719 |
119 |
|
DoS Overflow Mem. Corr. |
2011-03-01 |
2011-08-26 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Samba 3.x before 3.3.15, 3.4.x before 3.4.12, and 3.5.x before 3.5.7 does not perform range checks for file descriptors before use of the FD_SET macro, which allows remote attackers to cause a denial of service (stack memory corruption, and infinite loop or daemon crash) by opening a large number of files, related to (1) Winbind or (2) smbd. |
|
12 |
CVE-2010-3069 |
119 |
|
DoS Exec Code Overflow |
2010-09-15 |
2011-08-26 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Stack-based buffer overflow in the (1) sid_parse and (2) dom_sid_parse functions in Samba before 3.5.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted Windows Security ID (SID) on a file share. |
|
13 |
CVE-2010-2063 |
119 |
|
DoS Exec Code Overflow Mem. Corr. |
2010-06-17 |
2011-08-26 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Buffer overflow in the SMB1 packet chaining implementation in the chain_reply function in process.c in smbd in Samba 3.0.x before 3.3.13 allows remote attackers to cause a denial of service (memory corruption and daemon crash) or possibly execute arbitrary code via a crafted field in a packet. |
|
14 |
CVE-2010-1642 |
119 |
|
DoS Overflow |
2010-06-17 |
2010-07-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The reply_sesssetup_and_X_spnego function in sesssetup.c in smbd in Samba before 3.4.8 and 3.5.x before 3.5.2 allows remote attackers to trigger an out-of-bounds read, and cause a denial of service (process crash), via a \xff\xff security blob length in a Session Setup AndX request. |
|
15 |
CVE-2010-1635 |
|
|
DoS |
2010-06-17 |
2010-07-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The chain_reply function in process.c in smbd in Samba before 3.4.8 and 3.5.x before 3.5.2 allows remote attackers to cause a denial of service (NULL pointer dereference and process crash) via a Negotiate Protocol request with a certain 0x0003 field value followed by a Session Setup AndX request with a certain 0x8003 field value. |
|
16 |
CVE-2010-0926 |
22 |
|
Dir. Trav. |
2010-03-10 |
2010-09-09 |
3.5 |
None |
Remote |
Medium |
Single system |
Partial |
None |
None |
|
The default configuration of smbd in Samba before 3.3.11, 3.4.x before 3.4.6, and 3.5.x before 3.5.0rc3, when a writable share exists, allows remote authenticated users to leverage a directory traversal vulnerability, and access arbitrary files, by using the symlink command in smbclient to create a symlink containing .. (dot dot) sequences, related to the combination of the unix extensions and wide links options. |
|
17 |
CVE-2010-0787 |
59 |
|
+Priv |
2010-03-02 |
2010-09-09 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
client/mount.cifs.c in mount.cifs in smbfs in Samba 3.0.22, 3.0.28a, 3.2.3, 3.3.2, 3.4.0, and 3.4.5 allows local users to mount a CIFS share on an arbitrary mountpoint, and gain privileges, via a symlink attack on the mountpoint directory file. |
|
18 |
CVE-2010-0728 |
264 |
|
Bypass |
2010-03-10 |
2010-03-10 |
8.5 |
Admin |
Remote |
Medium |
Single system |
Complete |
Complete |
Complete |
|
smbd in Samba 3.3.11, 3.4.6, and 3.5.0, when libcap support is enabled, runs with the CAP_DAC_OVERRIDE capability, which allows remote authenticated users to bypass intended file permissions via standard filesystem operations with any client. |
|
19 |
CVE-2010-0547 |
20 |
|
DoS |
2010-02-04 |
2010-09-09 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
client/mount.cifs.c in mount.cifs in smbfs in Samba 3.4.5 and earlier does not verify that the (1) device name and (2) mountpoint strings are composed of valid characters, which allows local users to cause a denial of service (mtab corruption) via a crafted string. |
|
20 |
CVE-2009-2948 |
264 |
|
|
2009-10-07 |
2010-08-21 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
mount.cifs in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8 and 3.4 before 3.4.2, when mount.cifs is installed suid root, does not properly enforce permissions, which allows local users to read part of the credentials file and obtain the password by specifying the path to the credentials file and using the --verbose or -v option. |
|
21 |
CVE-2009-2906 |
|
|
DoS |
2009-10-07 |
2010-08-21 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
|
smbd in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8, and 3.4 before 3.4.2 allows remote authenticated users to cause a denial of service (infinite loop) via an unanticipated oplock break notification reply packet. |
|
22 |
CVE-2009-2813 |
264 |
|
Bypass |
2009-09-14 |
2011-07-18 |
6.0 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
|
Samba 3.4 before 3.4.2, 3.3 before 3.3.8, 3.2 before 3.2.15, and 3.0.12 through 3.0.36, as used in the SMB subsystem in Apple Mac OS X 10.5.8 when Windows File Sharing is enabled, Fedora 11, and other operating systems, does not properly handle errors in resolving pathnames, which allows remote authenticated users to bypass intended sharing restrictions, and read, create, or modify files, in certain circumstances involving user accounts that lack home directories. |
|
23 |
CVE-2009-1888 |
264 |
|
|
2009-06-24 |
2010-08-21 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The acl_group_override function in smbd/posix_acls.c in smbd in Samba 3.0.x before 3.0.35, 3.1.x and 3.2.x before 3.2.13, and 3.3.x before 3.3.6, when dos filemode is enabled, allows remote attackers to modify access control lists for files via vectors related to read access to uninitialized memory. |
|
24 |
CVE-2009-1886 |
134 |
|
Exec Code |
2009-06-24 |
2009-10-14 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Multiple format string vulnerabilities in client/client.c in smbclient in Samba 3.2.0 through 3.2.12 might allow context-dependent attackers to execute arbitrary code via format string specifiers in a filename. |
|
25 |
CVE-2009-0022 |
20 |
|
|
2009-01-05 |
2009-03-13 |
6.3 |
None |
Remote |
Medium |
Single system |
Complete |
None |
None |
|
Samba 3.2.0 through 3.2.6, when registry shares are enabled, allows remote authenticated users to access the root filesystem via a crafted connection request that specifies a blank share name. |
|
26 |
CVE-2008-4314 |
200 |
|
DoS +Info |
2008-12-01 |
2009-08-19 |
8.5 |
None |
Remote |
Low |
Not required |
Complete |
None |
Partial |
|
smbd in Samba 3.0.29 through 3.2.4 might allow remote attackers to read arbitrary memory and cause a denial of service via crafted (1) trans, (2) trans2, and (3) nttrans requests, related to a "cut&paste error" that causes an improper bounds check to be performed. |
|
27 |
CVE-2008-3789 |
264 |
|
|
2008-08-27 |
2008-11-15 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
Samba 3.2.0 uses weak permissions (0666) for the (1) group_mapping.tdb and (2) group_mapping.ldb files, which allows local users to modify the membership of Unix groups. |
|
28 |
CVE-2008-1720 |
119 |
|
Exec Code Overflow |
2008-04-10 |
2009-08-18 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Buffer overflow in rsync 2.6.9 to 3.0.1, with extended attribute (xattr) support enabled, might allow remote attackers to execute arbitrary code via unknown vectors. |
|
29 |
CVE-2008-1105 |
119 |
1
|
Exec Code Overflow |
2008-05-29 |
2010-08-21 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Heap-based buffer overflow in the receive_smb_raw function in util/sock.c in Samba 3.0.0 through 3.0.29 allows remote attackers to execute arbitrary code via a crafted SMB response. |
|
30 |
CVE-2007-6015 |
119 |
|
Exec Code Overflow |
2007-12-13 |
2010-08-21 |
9.3 |
Admin |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Stack-based buffer overflow in the send_mailslot function in nmbd in Samba 3.0.0 through 3.0.27a, when the "domain logons" option is enabled, allows remote attackers to execute arbitrary code via a GETDC mailslot request composed of a long GETDC string following an offset username in a SAMLOGON logon request. |
|
31 |
CVE-2007-5398 |
119 |
|
Exec Code Overflow |
2007-11-16 |
2010-08-21 |
9.3 |
Admin |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Stack-based buffer overflow in the reply_netbios_packet function in nmbd/nmbd_packets.c in nmbd in Samba 3.0.0 through 3.0.26a, when operating as a WINS server, allows remote attackers to execute arbitrary code via crafted WINS Name Registration requests followed by a WINS Name Query request. |
|
32 |
CVE-2007-4572 |
119 |
|
Overflow |
2007-11-16 |
2010-08-21 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Stack-based buffer overflow in nmbd in Samba 3.0.0 through 3.0.26a, when configured as a Primary or Backup Domain controller, allows remote attackers to have an unknown impact via crafted GETDC mailslot requests, related to handling of GETDC logon server requests. |
|
33 |
CVE-2007-4138 |
264 |
|
|
2007-09-13 |
2010-08-21 |
6.9 |
Admin |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
The Winbind nss_info extension (nsswitch/idmap_ad.c) in idmap_ad.so in Samba 3.0.25 through 3.0.25c, when the "winbind nss info" option is set to rfc2307 or sfu, grants all local users the privileges of gid 0 when the (1) RFC2307 or (2) Services for UNIX (SFU) primary group attribute is not defined. |
|
34 |
CVE-2007-2447 |
|
|
Exec Code |
2007-05-14 |
2010-11-30 |
6.0 |
User |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
|
The MS-RPC functionality in smbd in Samba 3.0.0 through 3.0.25rc3 allows remote attackers to execute arbitrary commands via shell metacharacters involving the (1) SamrChangePassword function, when the "username map script" smb.conf option is enabled, and allows remote authenticated users to execute commands via shell metacharacters involving other MS-RPC functions in the (2) remote printer and (3) file share management. |
|
35 |
CVE-2007-2446 |
119 |
|
Exec Code Overflow |
2007-05-14 |
2010-11-30 |
10.0 |
Admin |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3.0.0 through 3.0.25rc3 allow remote attackers to execute arbitrary code via crafted MS-RPC requests involving (1) DFSEnum (netdfs_io_dfs_EnumInfo_d), (2) RFNPCNEX (smb_io_notify_option_type_data), (3) LsarAddPrivilegesToAccount (lsa_io_privilege_set), (4) NetSetFileSecurity (sec_io_acl), or (5) LsarLookupSids/LsarLookupSids2 (lsa_io_trans_names). |
|
36 |
CVE-2007-2444 |
|
|
+Priv |
2007-05-14 |
2010-11-30 |
7.2 |
Admin |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Logic error in the SID/Name translation functionality in smbd in Samba 3.0.23d through 3.0.25pre2 allows local users to gain temporary privileges and execute SMB/CIFS protocol operations via unspecified vectors that cause the daemon to transition to the root user. |
|
37 |
CVE-2007-2407 |
|
|
|
2007-08-03 |
2008-09-05 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
|
The Samba server on Apple Mac OS X 10.3.9 and 10.4.10, when Windows file sharing is enabled, does not enforce disk quotas after dropping privileges, which allows remote authenticated users to use disk space in excess of quota. |
|
38 |
CVE-2007-0454 |
|
|
Exec Code |
2007-02-05 |
2010-09-15 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Format string vulnerability in the afsacl.so VFS module in Samba 3.0.6 through 3.0.23d allows context-dependent attackers to execute arbitrary code via format string specifiers in a filename on an AFS file system, which is not properly handled during Windows ACL mapping. |
|
39 |
CVE-2007-0453 |
|
|
Exec Code Overflow |
2007-02-05 |
2008-11-15 |
4.6 |
User |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Buffer overflow in the nss_winbind.so.1 library in Samba 3.0.21 through 3.0.23d, as used in the winbindd daemon on Solaris, allows attackers to execute arbitrary code via the (1) gethostbyname and (2) getipnodebyname functions. |
|
40 |
CVE-2007-0452 |
|
|
DoS |
2007-02-05 |
2010-09-15 |
6.8 |
None |
Remote |
Low |
Single system |
None |
None |
Complete |
|
smbd in Samba 3.0.6 through 3.0.23d allows remote authenticated users to cause a denial of service (memory and CPU exhaustion) by renaming a file in a way that prevents a request from being removed from the deferred open queue, which triggers an infinite loop. |
|
41 |
CVE-2006-3403 |
|
|
DoS |
2006-07-12 |
2010-09-15 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The smdb daemon (smbd/service.c) in Samba 3.0.1 through 3.0.22 allows remote attackers to cause a denial of service (memory consumption) via a large number of share connection requests. |
|
42 |
CVE-2006-2194 |
|
|
+Priv |
2006-07-05 |
2010-04-02 |
7.2 |
Admin |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The winbind plugin in pppd for ppp 2.4.4 and earlier does not check the return code from the setuid function call, which might allow local users to gain privileges by causing setuid to fail, such as exceeding PAM limits for the maximum number of user processes, which prevents the winbind NTLM authentication helper from dropping privileges. |
|
43 |
CVE-2006-1059 |
|
|
|
2006-03-30 |
2008-09-05 |
1.2 |
None |
Local |
High |
Not required |
Partial |
None |
None |
|
The winbindd daemon in Samba 3.0.21 to 3.0.21c writes the machine trust account password in cleartext in log files, which allows local users to obtain the password and spoof the server in the domain. |
|
44 |
CVE-2004-2695 |
89 |
|
Exec Code Sql |
2004-12-31 |
2008-09-05 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the Authorize.net callback code (subscriptions/authorize.php) in Jelsoft vBulletin 3.0 through 3.0.3 allows remote attackers to execute arbitrary SQL statements via the x_invoice_num parameter. NOTE: this issue might be related to CVE-2006-4267. |
|
45 |
CVE-2004-2687 |
16 |
|
Exec Code |
2004-12-31 |
2008-09-05 |
9.3 |
Admin |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
distcc 2.x, as used in XCode 1.5 and others, when not configured to restrict access to the server port, allows remote attackers to execute arbitrary commands via compilation jobs, which are executed by the server without authorization checks. |
|
46 |
CVE-2004-2546 |
|
|
DoS |
2004-12-31 |
2008-09-05 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
None |
Partial |
|
Multiple memory leaks in Samba before 3.0.6 allow attackers to cause a denial of service (memory consumption). |
|
47 |
CVE-2004-1154 |
|
|
DoS Exec Code Overflow |
2005-01-10 |
2010-08-21 |
10.0 |
Admin |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Integer overflow in the Samba daemon (smbd) in Samba 2.x and 3.0.x through 3.0.9 allows remote authenticated users to cause a denial of service (application crash) and possibly execute arbitrary code via a Samba request with a large number of security descriptors that triggers a heap-based buffer overflow. |
|
48 |
CVE-2004-1002 |
|
|
DoS |
2005-03-01 |
2008-09-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Integer underflow in pppd in cbcp.c for ppp 2.4.1 allows remote attackers to cause a denial of service (daemon crash) via a CBCP packet with an invalid length value that causes pppd to access an incorrect memory location. |
|
49 |
CVE-2004-0930 |
|
|
DoS |
2005-01-27 |
2010-08-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The ms_fnmatch function in Samba 3.0.4 and 3.0.7 and possibly other versions allows remote authenticated users to cause a denial of service (CPU consumption) via a SAMBA request that contains multiple * (wildcard) characters. |
|
50 |
CVE-2004-0882 |
|
|
Exec Code Overflow |
2005-01-27 |
2010-08-21 |
10.0 |
Admin |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Buffer overflow in the QFILEPATHINFO request handler in Samba 3.0.x through 3.0.7 may allow remote attackers to execute arbitrary code via a TRANSACT2_QFILEPATHINFO request with a small "maximum data bytes" value. |
