Description
There is an issue in all samba 4.11.x versions before 4.11.5, all samba 4.10.x versions before 4.10.12 and all samba 4.9.x versions before 4.9.18, where the removal of the right to create or modify a subtree would not automatically be taken away on all domain controllers.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
Affected products
- Unknown / sambaall samba 4.11.x versions before 4.11.5 – all samba 4.11.x versions before 4.11.5
- Unknown / sambaall samba 4.10.x versions before 4.10.12 – all samba 4.10.x versions before 4.10.12
- Unknown / sambaall samba 4.9.x versions before 4.9.18 – all samba 4.9.x versions before 4.9.18
References
- MISChttps://www.samba.org/samba/security/CVE-2019-14902.html
- MISChttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14902
- MISChttps://security.netapp.com/advisory/ntap-20200122-0001/
- MISChttps://www.synology.com/security/advisory/Synology_SA_20_01
- VENDOR_ADVISORYhttps://usn.ubuntu.com/4244-1/
- MAILING_LISThttp://lists.opensuse.org/opensuse-security-announce/2020-01/msg00055.html
- MAILING_LISThttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GQ6U65I2K23YJC4FESW477WL55TU3PPT/
- MAILING_LISThttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ACZVNMIFQGGXNJPMHAVBN3H2U65FXQY/
- MISChttps://security.gentoo.org/glsa/202003-52
- MAILING_LISThttps://lists.debian.org/debian-lts-announce/2021/05/msg00023.html
- MAILING_LISThttps://lists.debian.org/debian-lts-announce/2023/09/msg00013.html