CVE-2014-0178Improper Initialization in Samba

CWE-665Improper InitializationCWE-456Missing Initialization of a VariableCWE-201Sensitive Info Insertion into Sent Data9 documents7 sources
Severity
3.5LOWNVD
EPSS
1.9%
top 16.64%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
SambaDebian Samba
Timeline
PublishedMay 28
Latest updateMay 14

Description

Samba 3.6.6 through 3.6.23, 4.0.x before 4.0.18, and 4.1.x before 4.1.8, when a certain vfs shadow copy configuration is enabled, does not properly initialize the SRV_SNAPSHOT_ARRAY response field, which allows remote authenticated users to obtain potentially sensitive information from process memory via a (1) FSCTL_GET_SHADOW_COPY_DATA or (2) FSCTL_SRV_ENUMERATE_SNAPSHOTS request.

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 6.8 | Impact: 2.9

Affected Packages4 packages

NVDsamba/samba3.6.63.6.25+28
debiandebian/samba< samba 2:4.1.8+dfsg-1 (bookworm)
Debiansamba/samba< 2:4.1.8+dfsg-1+3
Ubuntusamba/samba< 2:4.1.6+dfsg-1ubuntu2.14.04.2

🔴Vulnerability Details

3
GHSA
GHSA-f9qr-2qwc-jwpc: Samba 32022-05-14
OSV
samba vulnerabilities2014-06-26
OSV
CVE-2014-0178: Samba 32014-05-28

📋Vendor Advisories

3
Ubuntu
Samba vulnerabilities2014-06-26
Red Hat
samba: Uninitialized memory exposure2014-05-28
Debian
CVE-2014-0178: samba - Samba 3.6.6 through 3.6.23, 4.0.x before 4.0.18, and 4.1.x before 4.1.8, when a ...2014

💬Community

2
Bugzilla
CVE-2014-0178 samba: Uninitialized memory exposure [fedora-all]2014-05-29
Bugzilla
CVE-2014-0178 samba: Uninitialized memory exposure2014-05-28