CVSS: 9.8EPSS: 0%CPEs: 7EXPL: 1CVE-2023-3961 – Samba: smbd allows client access to unix domain sockets on the file system as root
https://notcve.org/view.php?id=CVE-2023-3961
A path traversal vulnerability was identified in Samba when processing client pipe names connecting to Unix domain sockets within a private directory. Samba typically uses this mechanism to connect SMB clients to remote procedure call (RPC) services like SAMR LSA or SPOOLSS, which Samba initiates on demand. However, due to inadequate sanitization of incoming client pipe names, allowing a client to send a pipe name containing Unix directory traversal characters (../). This could result in SMB clients connecting as root to Unix domain sockets outside the private directory. If an attacker or client managed to send a pipe name resolving to an external service using an existing Unix domain socket, it could potentially lead to unauthorized access to the service and consequential adverse events, including compromise or service crashes. • https://access.redhat.com/errata/RHSA-2023:6209 https://access.redhat.com/errata/RHSA-2023:6744 https://access.redhat.com/errata/RHSA-2023:7371 https://access.redhat.com/errata/RHSA-2023:7408 https://access.redhat.com/errata/RHSA-2023:7464 https://access.redhat.com/errata/RHSA-2023:7467 https://access.redhat.com/security/cve/CVE-2023-3961 https://bugzilla.redhat.com/show_bug.cgi?id=2241881 https://bugzilla.samba.org/show_bug.cgi?id=15422 https://lists.fedoraproject.o • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 8EXPL: 0CVE-2023-39325 – HTTP/2 rapid reset can cause excessive work in net/http
https://notcve.org/view.php?id=CVE-2023-39325
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. • https://go.dev/cl/534215 https://go.dev/cl/534235 https://go.dev/issue/63417 https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3OVW5V2DM5K5IC3H7O42YDUGNJ74J35O https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3SZN67IL7HMGMNAVLOTIXLIHUDXZK4LH https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3WJ4QVX2AMUJ2F2S27POOAHRC4K3CHU4 https: • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 1CVE-2023-5535 – Use After Free in vim/vim
https://notcve.org/view.php?id=CVE-2023-5535
Use After Free in GitHub repository vim/vim prior to v9.0.2010. Use After Free en el repositorio de GitHub vim/vim anterior a la versión 9.0.2010. • https://github.com/vim/vim/commit/41e6f7d6ba67b61d911f9b1d76325cd79224753d https://huntr.dev/bounties/2c2d85a7-1171-4014-bf7f-a2451745861f https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VDDWD25AZIHBAA44HQT75OWLQ5UMDKU3 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VGTVLUV7UCXXCZAIQIUCLG6JXAVYT3HE https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XPT7NMYJRLBPIALGSE24UWTY6F774GZW • CWE-416: Use After Free •
CVSS: 6.5EPSS: 0%CPEs: 7EXPL: 0CVE-2023-4091 – Samba: smb clients can truncate files with read-only permissions
https://notcve.org/view.php?id=CVE-2023-4091
A vulnerability was discovered in Samba, where the flaw allows SMB clients to truncate files, even with read-only permissions when the Samba VFS module "acl_xattr" is configured with "acl_xattr:ignore system acls = yes". The SMB protocol allows opening files when the client requests read-only access but then implicitly truncates the opened file to 0 bytes if the client specifies a separate OVERWRITE create disposition request. The issue arises in configurations that bypass kernel file system permissions checks, relying solely on Samba's permissions. Se descubrió una vulnerabilidad en Samba, donde la falla permite a los clientes SMB truncar archivos, incluso con permisos de solo lectura cuando el módulo Samba VFS "acl_xattr" está configurado con "acl_xattr:ignore system acls = yes". El protocolo SMB permite abrir archivos cuando el cliente solicita acceso de solo lectura, pero luego trunca implícitamente el archivo abierto a 0 bytes si el cliente especifica una solicitud de disposición de creación de SOBRESCRITURA separada. • https://access.redhat.com/errata/RHSA-2023:6209 https://access.redhat.com/errata/RHSA-2023:6744 https://access.redhat.com/errata/RHSA-2023:7371 https://access.redhat.com/errata/RHSA-2023:7408 https://access.redhat.com/errata/RHSA-2023:7464 https://access.redhat.com/errata/RHSA-2023:7467 https://access.redhat.com/security/cve/CVE-2023-4091 https://bugzilla.redhat.com/show_bug.cgi?id=2241882 https://bugzilla.samba.org/show_bug.cgi?id=15439 https://lists.debian.org/ • CWE-276: Incorrect Default Permissions •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2023-42670 – Samba: ad dc busy rpc multiple listener dos
https://notcve.org/view.php?id=CVE-2023-42670
A flaw was found in Samba. It is susceptible to a vulnerability where multiple incompatible RPC listeners can be initiated, causing disruptions in the AD DC service. When Samba's RPC server experiences a high load or unresponsiveness, servers intended for non-AD DC purposes (for example, NT4-emulation "classic DCs") can erroneously start and compete for the same unix domain sockets. This issue leads to partial query responses from the AD DC, causing issues such as "The procedure number is out of range" when using tools like Active Directory Users. This flaw allows an attacker to disrupt AD DC services. • https://access.redhat.com/security/cve/CVE-2023-42670 https://bugzilla.redhat.com/show_bug.cgi?id=2241885 https://bugzilla.samba.org/show_bug.cgi?id=15473 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZUMVALLFFDFC53JZMUWA6HPD7HUGAP5I https://security.netapp.com/advisory/ntap-20231124-0002 https://www.samba.org/samba/security/CVE-2023-42670.html • CWE-400: Uncontrolled Resource Consumption •