Vulnerability Details : CVE-2015-5330
ldb before 1.1.24, as used in the AD LDAP server in Samba 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3, mishandles string lengths, which allows remote attackers to obtain sensitive information from daemon heap memory by sending crafted packets and then reading (1) an error message or (2) a database value.
Products affected by CVE-2015-5330
- cpe:2.3:a:samba:samba:4.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.0.17:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.0.18:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.0.16:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.1.9:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.1.10:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.0.20:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.0.19:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.0.21:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.1.14:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.1.15:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.0.22:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.0.23:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.1.11:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.1.12:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.1.13:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.1.16:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.0.24:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.1.18:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.1.17:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.1.21:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.1.20:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:4.1.19:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-5330
0.70%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 70 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-5330
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
|
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2015-5330
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-5330
-
https://git.samba.org/?p=samba.git%3Ba=commit%3Bh=0454b95657846fcecf0f51b6f1194faac02518bd
git.samba.org
-
https://security.gentoo.org/glsa/201612-47
Samba: Multiple vulnerabilities (GLSA 201612-47) — Gentoo security
-
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00017.html
[security-announce] SUSE-SU-2016:0164-1: important: Security update for
-
http://www.debian.org/security/2016/dsa-3433
Debian -- Security Information -- DSA-3433-1 samba
-
http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00032.html
[security-announce] openSUSE-SU-2015:2354-1: important: Security update
-
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00042.html
[security-announce] openSUSE-SU-2016:1064-1: important: Security update
-
http://www.ubuntu.com/usn/USN-2856-1
USN-2856-1: ldb vulnerabilities | Ubuntu security notices
-
https://git.samba.org/?p=samba.git%3Ba=commit%3Bh=f36cb71c330a52106e36028b3029d952257baf15
git.samba.org
-
https://git.samba.org/?p=samba.git%3Ba=commit%3Bh=a118d4220ed85749c07fb43c1229d9e2fecbea6b
git.samba.org
-
http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00019.html
[security-announce] SUSE-SU-2015:2304-1: important: Security update for
-
https://git.samba.org/?p=samba.git;a=commit;h=0454b95657846fcecf0f51b6f1194faac02518bd
git.samba.org - samba.git/commit
-
https://git.samba.org/?p=samba.git%3Ba=commit%3Bh=538d305de91e34a2938f5f219f18bf0e1918763f
git.samba.org
-
https://git.samba.org/?p=samba.git;a=commit;h=7f51ec8c4ed9ba1f53d722e44fb6fb3cde933b72
git.samba.org - samba.git/commit
-
http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00033.html
[security-announce] openSUSE-SU-2015:2356-1: important: Security update
-
https://git.samba.org/?p=samba.git%3Ba=commit%3Bh=7f51ec8c4ed9ba1f53d722e44fb6fb3cde933b72
git.samba.org
-
http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00020.html
[security-announce] SUSE-SU-2015:2305-1: important: Security update for
-
http://www.ubuntu.com/usn/USN-2855-2
USN-2855-2: Samba regression | Ubuntu security notices
-
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00002.html
[security-announce] SUSE-SU-2016:0032-1: important: Security update for
-
https://git.samba.org/?p=samba.git;a=commit;h=a118d4220ed85749c07fb43c1229d9e2fecbea6b
git.samba.org - samba.git/commit
-
http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html
Oracle Linux Bulletin - January 2016
-
https://bugzilla.redhat.com/show_bug.cgi?id=1281326
1281326 – (CVE-2015-5330) CVE-2015-5330 samba, libldb: remote memory read in the Samba LDAP server
-
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00047.html
[security-announce] openSUSE-SU-2016:1106-1: important: Security update
-
http://www.securitytracker.com/id/1034493
Samba Multiple Flaws Let Remote Users Access Data and Files, Obtain Potentially Sensitive Information, and Deny Service - SecurityTracker
-
https://git.samba.org/?p=samba.git;a=commit;h=f36cb71c330a52106e36028b3029d952257baf15
git.samba.org - samba.git/commit
-
https://www.samba.org/samba/security/CVE-2015-5330.html
Samba - Security Announcement ArchiveVendor Advisory
-
https://git.samba.org/?p=samba.git%3Ba=commit%3Bh=ba5dbda6d0174a59d221c45cca52ecd232820d48
git.samba.org
-
https://git.samba.org/?p=samba.git;a=commit;h=ba5dbda6d0174a59d221c45cca52ecd232820d48
git.samba.org - samba.git/commit
-
http://www.ubuntu.com/usn/USN-2855-1
USN-2855-1: Samba vulnerabilities | Ubuntu security notices
-
https://git.samba.org/?p=samba.git;a=commit;h=538d305de91e34a2938f5f219f18bf0e1918763f
git.samba.org - samba.git/commit
-
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00048.html
[security-announce] openSUSE-SU-2016:1107-1: important: Security update
-
http://www.securityfocus.com/bid/79734
Samba ldb CVE-2015-5330 Multiple Information Disclosure Vulnerabilities
Jump to