Vulnerability Details : CVE-2009-2948
mount.cifs in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8 and 3.4 before 3.4.2, when mount.cifs is installed suid root, does not properly enforce permissions, which allows local users to read part of the credentials file and obtain the password by specifying the path to the credentials file and using the --verbose or -v option.
Products affected by CVE-2009-2948
- cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2009-2948
0.59%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 78 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2009-2948
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
1.9
|
LOW | AV:L/AC:M/Au:N/C:P/I:N/A:N |
3.4
|
2.9
|
NIST |
CWE ids for CVE-2009-2948
-
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.Assigned by: nvd@nist.gov (Primary)
References for CVE-2009-2948
-
http://www.securitytracker.com/id?1022975
Access DeniedBroken Link;Patch;Third Party Advisory;VDB Entry
-
http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.561439
The Slackware Linux Project: Slackware Security AdvisoriesPatch;Third Party Advisory
-
http://news.samba.org/releases/3.2.15/
Site not found (404)Broken Link;Vendor Advisory
-
http://www.securityfocus.com/bid/36572
Patch;Third Party Advisory;VDB Entry
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7087
404 Not FoundBroken Link;Third Party Advisory
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/53574
Samba mount.cifs information disclosure CVE-2009-2948 Vulnerability ReportThird Party Advisory;VDB Entry
-
http://news.samba.org/releases/3.3.8/
Site not found (404)Broken Link;Vendor Advisory
-
http://www.ubuntu.com/usn/USN-839-1
USN-839-1: Samba vulnerabilities | Ubuntu security notices | UbuntuThird Party Advisory
-
https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00095.html
[SECURITY] Fedora 11 Update: samba-3.4.2-0.42.fc11Patch;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html
[security-announce] SUSE Security Summary Report: SUSE-SR:2009:017 - openSUSE Security Announce - openSUSE Mailing ListsMailing List;Third Party Advisory
-
http://news.samba.org/releases/3.0.37/
Site not found (404)Broken Link;Vendor Advisory
-
http://news.samba.org/releases/3.4.2/
Site not found (404)Broken Link;Vendor Advisory
-
https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00098.html
[SECURITY] Fedora 10 Update: samba-3.2.15-0.36.fc10Patch;Third Party Advisory
-
http://www.samba.org/samba/security/CVE-2009-2948.html
Samba - Security Announcement ArchivePatch;Vendor Advisory
-
http://www.vupen.com/english/advisories/2009/2810
Site en constructionPermissions Required;Vendor Advisory
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10434
404 Not FoundBroken Link;Third Party Advisory
Jump to