CVE-2019-14907

CWE-125Out-of-bounds Read10 documents8 sources
Severity
6.5MEDIUM
EPSS
10.2%
top 6.85%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
9
Samba SambaRED HAT SambaCanonical Ubuntu Linux+6 more
Timeline
PublishedJan 21
Latest updateMay 24

Description

All samba versions 4.9.x before 4.9.18, 4.10.x before 4.10.12 and 4.11.x before 4.11.5 have an issue where if it is set with "log level = 3" (or above) then the string obtained from the client, after a failed character conversion, is printed. Such strings can be provided during the NTLMSSP authentication exchange. In the Samba AD DC in particular, this may cause a long-lived process(such as the RPC server) to terminate. (In the file server case, the most likely target, smbd, operates as process-

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages6 packages

NVDsamba/samba4.9.04.9.18+2
Debiansamba< 2:4.11.5+dfsg-1+3
CVEListV5red_hat/sambaAll versions 4.10.x before 4.10.12, All versions 4.11.x before 4.11.5, All versions 4.9.x before 4.9.18+2

Also affects: Debian Linux 9.0, Fedora 30, 31, Ubuntu Linux 16.04, 18.04, 19.04, 19.10, Enterprise Linux 7.0, 8.0

🔴Vulnerability Details

4
GHSA
GHSA-qw9p-wf2h-j96q: All samba versions 42022-05-24
OSV
CVE-2019-14907: All samba versions 42020-01-21
CVEList
CVE-2019-14907: All samba versions 42020-01-21
OSV
samba vulnerabilities2020-01-21

📋Vendor Advisories

3
Ubuntu
Samba vulnerabilities2020-01-21
Red Hat
samba: Crash after failed character conversion at log level 3 or above2020-01-21
Debian
CVE-2019-14907: samba - All samba versions 4.9.x before 4.9.18, 4.10.x before 4.10.12 and 4.11.x before ...2019

💬Community

2
Bugzilla
CVE-2019-14907 samba: Crash after failed character conversion at log level 3 or above [fedora-all]2020-01-21
Bugzilla
CVE-2019-14907 samba: Crash after failed character conversion at log level 3 or above2020-01-15