Weak Password Requirements Affecting samba package, versions <2:4.9.5+dfsg-5+deb10u4


Severity

Recommended
0.0
medium
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.19% (58th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-DEBIAN10-SAMBA-474653
  • published3 Nov 2019
  • disclosed6 Nov 2019

Introduced: 3 Nov 2019

CVE-2019-14833  (opens in a new tab)
CWE-521  (opens in a new tab)

How to fix?

Upgrade Debian:10 samba to version 2:4.9.5+dfsg-5+deb10u4 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream samba package and not the samba package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

A flaw was found in Samba, all versions starting samba 4.5.0 before samba 4.9.15, samba 4.10.10, samba 4.11.2, in the way it handles a user password change or a new password for a samba user. The Samba Active Directory Domain Controller can be configured to use a custom script to check for password complexity. This configuration can fail to verify password complexity when non-ASCII characters are used in the password, which could lead to weak passwords being set for samba users, making it vulnerable to dictionary attacks.

CVSS Scores

version 3.1