The Samba Active Directory LDAP server was vulnerable to an information disclosure flaw because of missing access control checks. An authenticated attacker could use this flaw to extract confidential attribute values using LDAP search expressions. Samba versions before 4.6.16, 4.7.9 and 4.8.4 are vulnerable.
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
| Link | Tags |
|---|---|
| https://www.debian.org/security/2018/dsa-4271 | third party advisory vendor advisory |
| https://usn.ubuntu.com/3738-1/ | third party advisory vendor advisory |
| https://www.samba.org/samba/security/CVE-2018-10919.html | patch vendor advisory |
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10919 | issue tracking third party advisory |
| https://security.netapp.com/advisory/ntap-20180814-0001/ | third party advisory |
| http://www.securityfocus.com/bid/105081 | vdb entry third party advisory |
| https://security.gentoo.org/glsa/202003-52 | vendor advisory |