CVE-2015-5252 — Improper Resolution of Path Equivalence in Samba

CWE-264 CWE-41 — Improper Resolution of Path Equivalence11 documents7 sources

Severity

7.2HIGHNVD

OSV5.3

EPSS

17.3%

top 4.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Samba Debian Samba Canonical Ubuntu Linux +1 more

Timeline

PublishedDec 29

Latest updateMay 17

Description

vfs.c in smbd in Samba 3.x and 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3, when share names with certain substring relationships exist, allows remote attackers to bypass intended file-access restrictions via a symlink that points outside of a share.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.7

Affected Packages4 packages

▶NVDsamba/samba3.0.0 — 4.1.22+2

▶debiandebian/samba< samba 2:4.1.22+dfsg-1 (bookworm)

▶Debiansamba/samba< 2:4.1.22+dfsg-1+3

▶Ubuntusamba/samba< 2:4.1.6+dfsg-1ubuntu2.14.04.11+1

Also affects: Debian Linux 7.0, 8.0, Ubuntu Linux 12.04, 14.04, 15.04, 15.10

🔴Vulnerability Details

GHSA

GHSA-v8hr-9qpr-jrwc: vfs↗2022-05-17

▶

OSV

samba regression↗2016-02-16

▶

OSV

samba vulnerabilities↗2016-01-05

▶

OSV

CVE-2015-5252: vfs↗2015-12-29

▶

📋Vendor Advisories

Ubuntu

Samba regression↗2016-02-16

▶

Ubuntu

Samba vulnerabilities↗2016-01-05

▶

Red Hat

samba: Insufficient symlink verification in smbd↗2015-12-16

▶

Debian

CVE-2015-5252: samba - vfs.c in smbd in Samba 3.x and 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x ...↗2015

▶

💬Community

Bugzilla

CVE-2015-5299 CVE-2015-7540 CVE-2015-3223 CVE-2015-5252 CVE-2015-5296 samba: various flaws [fedora-all]↗2015-12-16

▶

Bugzilla

CVE-2015-5252 samba: Insufficient symlink verification in smbd↗2015-12-10

▶