CVE-2015-5330

Description

ldb before 1.1.24, as used in the AD LDAP server in Samba 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3, mishandles string lengths, which allows remote attackers to obtain sensitive information from daemon heap memory by sending crafted packets and then reading (1) an error message or (2) a database value.

Category

7.5
CVSS
Severity: High
CVSS 3.0 •
CVSS 2.0 •
EPSS 0.70% Top 30%
Vendor Advisory opensuse.org Vendor Advisory ubuntu.com Vendor Advisory opensuse.org Vendor Advisory ubuntu.com Vendor Advisory opensuse.org Vendor Advisory opensuse.org Vendor Advisory opensuse.org Vendor Advisory opensuse.org Vendor Advisory opensuse.org Vendor Advisory debian.org Vendor Advisory opensuse.org Vendor Advisory gentoo.org Vendor Advisory ubuntu.com Vendor Advisory opensuse.org Vendor Advisory samba.org
Affected: n/a n/a
Published at:
Updated at:

References

Link Tags
https://git.samba.org/?p=samba.git%3Ba=commit%3Bh=f36cb71c330a52106e36028b3029d952257baf15
https://git.samba.org/?p=samba.git%3Ba=commit%3Bh=ba5dbda6d0174a59d221c45cca52ecd232820d48
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00042.html vendor advisory
http://www.ubuntu.com/usn/USN-2855-2 vendor advisory
https://git.samba.org/?p=samba.git%3Ba=commit%3Bh=a118d4220ed85749c07fb43c1229d9e2fecbea6b
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00002.html vendor advisory
http://www.ubuntu.com/usn/USN-2856-1 vendor advisory
http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00019.html vendor advisory
http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html
http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00020.html vendor advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1281326
https://git.samba.org/?p=samba.git%3Ba=commit%3Bh=0454b95657846fcecf0f51b6f1194faac02518bd
https://www.samba.org/samba/security/CVE-2015-5330.html vendor advisory
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00017.html vendor advisory
http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00032.html vendor advisory
https://git.samba.org/?p=samba.git%3Ba=commit%3Bh=538d305de91e34a2938f5f219f18bf0e1918763f
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00047.html vendor advisory
http://www.securitytracker.com/id/1034493 vdb entry
http://www.debian.org/security/2016/dsa-3433 vendor advisory
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00048.html vendor advisory
https://security.gentoo.org/glsa/201612-47 vendor advisory
http://www.securityfocus.com/bid/79734 vdb entry
http://www.ubuntu.com/usn/USN-2855-1 vendor advisory
http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00033.html vendor advisory
https://git.samba.org/?p=samba.git%3Ba=commit%3Bh=7f51ec8c4ed9ba1f53d722e44fb6fb3cde933b72

Frequently Asked Questions

What is the severity of CVE-2015-5330?
CVE-2015-5330 has been scored as a high severity vulnerability.
How to fix CVE-2015-5330?
To fix CVE-2015-5330, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2015-5330 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2015-5330 is being actively exploited. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.