CVE Database


Impact: Low
Public: 2012-06-12
Bugzilla: 1036897: CVE-2012-6150 samba: pam_winbind fails open when non-existent group specified to require_membership_of


The MITRE CVE dictionary describes this issue as:

The winbind_name_list_to_sid_string_list function in nsswitch/pam_winbind.c in Samba through 4.1.2 handles invalid require_membership_of group names by accepting authentication by any user, which allows remote authenticated users to bypass intended access restrictions in opportunistic circumstances by leveraging an administrator's pam_winbind configuration-file mistake.

Find out more about CVE-2012-6150 from the MITRE CVE dictionary and NIST NVD.

CVSS v2 metrics

Base Score: 2.9
Base Metrics: AV:A/AC:H/Au:S/C:P/I:P/A:N
Access Vector: Adjacent Network
Access Complexity: High
Authentication: Single Instance
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: None

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat security errata

Platform Errata Release Date
Red Hat Enterprise Linux version 5 (samba3x) RHSA-2014:0330 March 25, 2014
Red Hat Enterprise Linux version 6 (samba) RHSA-2014:0330 March 25, 2014
Red Hat Enterprise Linux version 6 (samba4) RHSA-2014:0383 April 09, 2014

External References


Red Hat would like to thank Sam Richardson for reporting this issue.

This page is generated automatically and has not been checked for errors or omissions.

For clarification or corrections please contact the Red Hat Security Response Team.