CVE-2023-4091

EUVD-2023-53981
A vulnerability was discovered in Samba, where the flaw allows SMB clients to truncate files, even with read-only permissions when the Samba VFS module "acl_xattr" is configured with "acl_xattr:ignore system acls = yes". The SMB protocol allows opening files when the client requests read-only access but then implicitly truncates the opened file to 0 bytes if the client specifies a separate OVERWRITE create disposition request. The issue arises in configurations that bypass kernel file system permissions checks, relying solely on Samba's permissions.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
redhatCNA
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 64%
Affected Products (NVD)
VendorProductVersion
sambasamba
𝑥
< 4.17.12
sambasamba
4.18.0 ≤
𝑥
< 4.18.8
sambasamba
4.19.0 ≤
𝑥
< 4.19.1
redhatstorage
3.0
redhatenterprise_linux
8.0
redhatenterprise_linux_eus
9.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
samba
bookworm
2:4.17.12+dfsg-0+deb12u1
fixed
bookworm (security)
2:4.17.12+dfsg-0+deb12u1
fixed
bullseye
2:4.13.13+dfsg-1~deb11u6
fixed
bullseye (security)
2:4.13.13+dfsg-1~deb11u6
fixed
sid
2:4.21.2+dfsg-4
fixed
trixie
2:4.21.2+dfsg-4
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
samba
bionic
needs-triage
focal
Fixed 2:4.15.13+dfsg-0ubuntu0.20.04.6
released
jammy
Fixed 2:4.15.13+dfsg-0ubuntu1.5
released
lunar
Fixed 2:4.17.7+dfsg-1ubuntu2.3
released
mantic
Fixed 2:4.18.6+dfsg-1ubuntu2.1
released
noble
Fixed 2:4.18.6+dfsg-1ubuntu2.1
released
oracular
Fixed 2:4.18.6+dfsg-1ubuntu2.1
released
trusty
ignored
xenial
needs-triage
Common Weakness Enumeration
References
https://access.redhat.com/errata/RHSA-2023:6209
https://access.redhat.com/errata/RHSA-2023:6744
https://access.redhat.com/errata/RHSA-2023:7371
https://access.redhat.com/errata/RHSA-2023:7408
https://access.redhat.com/errata/RHSA-2023:7464
https://access.redhat.com/errata/RHSA-2023:7467
https://access.redhat.com/security/cve/CVE-2023-4091
https://bugzilla.redhat.com/show_bug.cgi?id=2241882
https://bugzilla.samba.org/show_bug.cgi?id=15439
https://www.samba.org/samba/security/CVE-2023-4091.html
https://access.redhat.com/errata/RHSA-2023:6209
https://access.redhat.com/errata/RHSA-2023:6744
https://access.redhat.com/errata/RHSA-2023:7371
https://access.redhat.com/errata/RHSA-2023:7408
https://access.redhat.com/errata/RHSA-2023:7464
https://access.redhat.com/errata/RHSA-2023:7467
https://access.redhat.com/security/cve/CVE-2023-4091
https://bugzilla.redhat.com/show_bug.cgi?id=2241882
https://bugzilla.samba.org/show_bug.cgi?id=15439
https://lists.debian.org/debian-lts-announce/2024/04/msg00015.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZUMVALLFFDFC53JZMUWA6HPD7HUGAP5I/
https://security.netapp.com/advisory/ntap-20231124-0002/
https://www.samba.org/samba/security/CVE-2023-4091.html