Vulnerability Details : CVE-2009-2948
mount.cifs in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8 and 3.4 before 3.4.2, when mount.cifs is installed suid root, does not properly enforce permissions, which allows local users to read part of the credentials file and obtain the password by specifying the path to the credentials file and using the --verbose or -v option.
Exploit prediction scoring system (EPSS) score for CVE-2009-2948
Probability of exploitation activity in the next 30 days: 0.06%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 26 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2009-2948
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
1.9
|
LOW | AV:L/AC:M/Au:N/C:P/I:N/A:N |
3.4
|
2.9
|
NIST |
CWE ids for CVE-2009-2948
-
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.Assigned by: nvd@nist.gov (Primary)
References for CVE-2009-2948
-
http://www.securitytracker.com/id?1022975
Broken Link;Patch;Third Party Advisory;VDB Entry
-
http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.561439
Patch;Third Party Advisory
-
http://news.samba.org/releases/3.2.15/
Broken Link;Vendor Advisory
-
http://www.securityfocus.com/bid/36572
Patch;Third Party Advisory;VDB Entry
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7087
Broken Link;Third Party Advisory
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/53574
Third Party Advisory;VDB Entry
-
http://news.samba.org/releases/3.3.8/
Broken Link;Vendor Advisory
-
http://www.ubuntu.com/usn/USN-839-1
Third Party Advisory
-
https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00095.html
Patch;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html
[security-announce] SUSE Security Summary Report: SUSE-SR:2009:017 - openSUSE Security Announce - openSUSE Mailing ListsMailing List;Third Party Advisory
-
http://news.samba.org/releases/3.0.37/
Broken Link;Vendor Advisory
-
http://news.samba.org/releases/3.4.2/
Broken Link;Vendor Advisory
-
https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00098.html
Patch;Third Party Advisory
-
http://www.samba.org/samba/security/CVE-2009-2948.html
Patch;Vendor Advisory
-
http://www.vupen.com/english/advisories/2009/2810
Permissions Required;Vendor Advisory
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10434
Broken Link;Third Party Advisory
Products affected by CVE-2009-2948
- cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*