CVE-2018-10919 — Observable Discrepancy in Samba
Severity
6.5MEDIUMNVD
CNA4.3
EPSS
1.4%
top 19.74%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedAug 22
Latest updateApr 11
Description
The Samba Active Directory LDAP server was vulnerable to an information disclosure flaw because of missing access control checks. An authenticated attacker could use this flaw to extract confidential attribute values using LDAP search expressions. Samba versions before 4.6.16, 4.7.9 and 4.8.4 are vulnerable.
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6
Affected Packages4 packages
Also affects: Debian Linux 9.0, Ubuntu Linux 14.04, 16.04, 18.04
Patches
🔴Vulnerability Details
3GHSA▶
GHSA-2h4c-mfg2-2f7f: The Samba Active Directory LDAP server was vulnerable to an information disclosure flaw because of missing access control checks↗2022-05-13
CVEList▶
CVE-2018-10919: The Samba Active Directory LDAP server was vulnerable to an information disclosure flaw because of missing access control checks↗2018-08-22
OSV▶
CVE-2018-10919: The Samba Active Directory LDAP server was vulnerable to an information disclosure flaw because of missing access control checks↗2018-08-22
📋Vendor Advisories
5Microsoft▶
The fix in 4.6.16 4.7.9 4.8.4 and 4.9.7 for CVE-2018-10919 Confidential attribute disclosure vi LDAP filters was insufficient and an attacker may be able to obtain confidential BitLocker recovery keys↗2023-04-11
Debian▶
CVE-2018-10919: samba - The Samba Active Directory LDAP server was vulnerable to an information disclosu...↗2018