CVE-2009-2948 — Incorrect Permission Assignment in Samba

CWE-732 — Incorrect Permission Assignment7 documents7 sources

Severity

1.9LOWNVD

EPSS

0.2%

top 56.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Samba Debian Samba

Timeline

PublishedOct 7

Latest updateMay 2

Description

mount.cifs in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8 and 3.4 before 3.4.2, when mount.cifs is installed suid root, does not properly enforce permissions, which allows local users to read part of the credentials file and obtain the password by specifying the path to the credentials file and using the --verbose or -v option.

CVSS vector

AV:L/AC:M/C:P/I:N/A:NExploitability: 3.4 | Impact: 2.9

Affected Packages3 packages

▶NVDsamba/samba3.0.0 — 3.0.37+3

▶debiandebian/samba< samba 2:3.4.2-1 (bookworm)

▶Debiansamba/samba< 2:3.4.2-1+3

Patches

Patch: slackware.com ↗Patch: www.samba.org ↗Patch: www.securityfocus.com ↗

🔴Vulnerability Details

GHSA

GHSA-fwxv-68qg-w737: mount↗2022-05-02

▶

OSV

CVE-2009-2948: mount↗2009-10-07

▶

📋Vendor Advisories

Ubuntu

Samba vulnerabilities↗2009-10-01

▶

Red Hat

samba: information disclosure in suid mount.cifs↗2009-10-01

▶

Debian

CVE-2009-2948: samba - mount.cifs in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8 and 3...↗2009

▶

💬Community

Bugzilla

CVE-2009-2948 samba: information disclosure in suid mount.cifs↗2009-09-28

▶