CVE-2023-34968

Publication date 19 July 2023

Last updated 24 July 2024

Ubuntu priority

Cvss 3 Severity Score

A path disclosure vulnerability was found in Samba. As part of the Spotlight protocol, Samba discloses the server-side absolute path of shares, files, and directories in the results for search queries. This flaw allows a malicious client or an attacker with a targeted RPC request to view the information that is part of the disclosed path.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
samba	25.04 plucky	Fixed 2:4.18.5+dfsg-1ubuntu1
	24.10 oracular	Fixed 2:4.18.5+dfsg-1ubuntu1
	24.04 LTS noble	Fixed 2:4.18.5+dfsg-1ubuntu1
	23.10 mantic	Fixed 2:4.18.5+dfsg-1ubuntu1
	23.04 lunar	Fixed 2:4.17.7+dfsg-1ubuntu1.1
	22.10 kinetic	Fixed 2:4.16.8+dfsg-0ubuntu1.2
	22.04 LTS jammy	Fixed 2:4.15.13+dfsg-0ubuntu1.2
	20.04 LTS focal	Fixed 2:4.15.13+dfsg-0ubuntu0.20.04.3
	18.04 LTS bionic	Needs evaluation
	16.04 LTS xenial	Needs evaluation
	14.04 LTS trusty	Needs evaluation

Notes

sbeattie

spotlight support was enabled in ubuntu packages in 2:4.13.2+dfsg-3ubuntu1 (Ubuntu 21.04 / hirsute) and in the 2:4.13.14+dfsg-0ubuntu0.20.04.1 backport to Ubuntu 20.04 LTS / focal. Older versions are not affected *unless* it is decided to backport a newer version to address other open security issues; see https://bugs.launchpad.net/bugs/1950363 for details.

Severity score breakdown

Parameter	Value
Base score	5.3 · Medium
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	Low
Integrity impact	None
Availability impact	None
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

Related Ubuntu Security Notices (USN)

USN-6238-1
Samba vulnerabilities
19 July 2023