CVE-2013-0172
low
CVSS v3
—
CVSS v2
3.5
VIR risk
3.5
Description
Samba 4.0.x before 4.0.1, in certain Active Directory domain-controller configurations, does not properly interpret Access Control Entries that are based on an objectClass, which allows remote authenticated users to bypass intended restrictions on modifying LDAP directory objects by leveraging (1) objectClass access by a user, (2) objectClass access by a group, or (3) write access to an attribute.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2013-0172
Vendor advisory: secalert@redhat.com — http://www.samba.org/samba/security/CVE-2013-0172
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 0 |
| debian | bullseye | fixed | 0 |
| debian | forky | fixed | 0 |
| debian | sid | fixed | 0 |
| debian | trixie | fixed | 0 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| samba | samba | 4.0.0 | |
References
CWEs
CWE-264
Verify integrity in audit chain (admin only). AS-IS.