CVE Database

CVE-2013-4475

Impact: Moderate
Public: 2013-10-25
Bugzilla: 1024542: CVE-2013-4475 samba: no access check verification on stream files
IAVA: 2013-B-0131

Details

The MITRE CVE dictionary describes this issue as:

Samba 3.2.x through 3.6.x before 3.6.20, 4.0.x before 4.0.11, and 4.1.x before 4.1.1, when vfs_streams_depot or vfs_streams_xattr is enabled, allows remote attackers to bypass intended file restrictions by leveraging ACL differences between a file and an associated alternate data stream (ADS).

Find out more about CVE-2013-4475 from the MITRE CVE dictionary and NIST NVD.

Statement

This issue did not affect the samba package in Red Hat Enterprise Linux 5. This issue was addressed for the samba3x package in Red Hat Enterprise Linux 5 and the samba package in Red Hat Enterprise Linux 6 via https://rhn.redhat.com/errata/RHSA-2013-1806.html, and the samba package in Red Hat Storage via https://rhn.redhat.com/errata/RHSA-2014-0009.html

CVSS v2 metrics

Base Score: 4.1
Base Metrics: AV:A/AC:L/Au:S/C:P/I:P/A:N
Access Vector: Adjacent Network
Access Complexity: Low
Authentication: Single Instance
Confidentiality Impact: Partial
Integrity Impact: Partial
Availability Impact: None

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat security errata

Platform Errata Release Date
Red Hat Enterprise Linux version 5 (samba3x) RHSA-2013:1806 December 10, 2013
Red Hat Enterprise Linux version 6 (samba) RHSA-2013:1806 December 10, 2013
Red Hat Storage Server 2.1 (samba) RHSA-2014:0009 January 06, 2014

External References

http://www.samba.org/samba/security/CVE-2013-4475

This page is generated automatically and has not been checked for errors or omissions.

For clarification or corrections please contact the Red Hat Security Response Team.