Permissions, Privileges, and Access Controls in samba (Alpine package)
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2015-5252 |
| CWE-ID | CWE-264 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
samba (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU32347
Risk: Medium
CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2015-5252
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
vfs.c in smbd in Samba 3.x and 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3, when share names with certain substring relationships exist, allows remote attackers to bypass intended file-access restrictions via a symlink that points outside of a share.
MitigationInstall update from vendor's website.
Vulnerable software versionssamba (Alpine package): 4.1.1-r0 - 4.2.3-r3
CPE2.3- cpe:2.3:o:alpine:samba_alpine_package:4.1.8-r0:*:*:*:*:alpine_linux:*:
- cpe:2.3:o:alpine:samba_alpine_package:4.1.14-r1:*:*:*:*:alpine_linux:*:
- cpe:2.3:o:alpine:samba_alpine_package:4.1.9-r0:*:*:*:*:alpine_linux:*:
http://git.alpinelinux.org/aports/commit/?id=2c8df8d5eb5c12b722deb30952b55b164fc7111a
http://git.alpinelinux.org/aports/commit/?id=47affed1795cc5ca4cdd4625ea53ba85513f0636
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
