CVE-2016-2125

CWE-287 — Improper Authentication CWE-20 — Improper Input Validation10 documents8 sources

Severity

6.5MEDIUM

EPSS

11.7%

top 6.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Samba Samba [unknown] Samba Redhat Enterprise Linux Desktop +6 more

Timeline

PublishedOct 31

Latest updateMay 13

Description

It was found that Samba before versions 4.5.3, 4.4.8, 4.3.13 always requested forwardable tickets when using Kerberos authentication. A service to which Samba authenticated using Kerberos could subsequently use the ticket to impersonate Samba to other services or domain users.

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages7 packages

▶NVDsamba/samba3.0.25 — 4.3.13+2

▶Debiansamba< 2:4.5.2+dfsg-2+3

▶CVEListV5[unknown]/samba4.3.13, 4.4.8, 4.5.3+2

▶NVDredhat/gluster_storage3.0

▶NVDredhat/enterprise_linux_server6.0, 7.0+1

Also affects: Enterprise Linux 7.4, 7.6, 7.3, 7.5

Patches

Patch: www.samba.org ↗Patch: www.samba.org ↗

🔴Vulnerability Details

GHSA

GHSA-qc7g-mqp8-fhmm: It was found that Samba before versions 4↗2022-05-13

▶

OSV

CVE-2016-2125: It was found that Samba before versions 4↗2018-10-31

▶

CVEList

CVE-2016-2125: It was found that Samba before versions 4↗2018-10-31

▶

OSV

samba vulnerabilities↗2016-12-19

▶

📋Vendor Advisories

Red Hat

samba: Unconditional privilege delegation to Kerberos servers in trusted realms↗2016-12-19

▶

Ubuntu

Samba vulnerabilities↗2016-12-19

▶

Debian

CVE-2016-2125: samba - It was found that Samba before versions 4.5.3, 4.4.8, 4.3.13 always requested fo...↗2016

▶

💬Community

Bugzilla

CVE-2016-2125 CVE-2016-2126 samba: various flaws [fedora-all]↗2016-12-19

▶

Bugzilla

CVE-2016-2125 samba: Unconditional privilege delegation to Kerberos servers in trusted realms↗2016-12-09

▶