CVE-2020-10730

moderate-risk

Published 2020-07-07

A NULL pointer dereference, or possible use-after-free flaw was found in Samba AD LDAP server in versions before 4.10.17, before 4.11.11 and before 4.12.4. Although some versions of Samba shipped with Red Hat Enterprise Linux do not support Samba in AD mode, the affected code is shipped with the libldb package. This flaw allows an authenticated user to possibly trigger a use-after-free or NULL pointer dereference. The highest threat from this vulnerability is to system availability.

Do I need to act?

3.1% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.5/10 Medium

NETWORK / LOW complexity

Affected Products (7)

Samba

Storage

Leap

Fedora

Debian Linux

Affected Vendors

Debian Redhat Samba Fedoraproject Opensuse

References (20)

Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00030.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00054.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00000.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00002.html

https://bugzilla.redhat.com/show_bug.cgi?id=1849489%3B

Issue Tracking https://lists.debian.org/debian-lts-announce/2020/11/msg00041.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

Third Party Advisory https://security.gentoo.org/glsa/202007-15

Third Party Advisory https://www.debian.org/security/2021/dsa-4884

Vendor Advisory https://www.samba.org/samba/security/CVE-2020-10730.html