=========================================================== == Subject: Save registry file outside share as unprivileged user == == CVE ID#: CVE-2019-3880 == == Versions: All versions of Samba since before Samba 3.x == == Summary: Authenticated users with write permission can trigger a symlink traversal to write files outside the Samba share. =========================================================== =========== Description =========== Samba contains an RPC endpoint emulating the Windows registry service API. One of the requests, "winreg_SaveKey", is susceptible to a path/symlink traversal vulnerability. Unprivileged users can use it to save a registry hive file anywhere they have write access, even outside a Samba share. ================== Patch Availability ================== Patches addressing both these issues have been posted to: http://www.samba.org/samba/security/ Additionally, Samba $VERSIONS have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (5.4) ========== Workaround ========== ======= Credits ======= Originally reported by Michael Hanselmann. Patches provided by $DEVELOPER of the Samba team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================