CVE-2004-0082

critical

Description

The mksmbpasswd shell script (mksmbpasswd.sh) in Samba 3.0.0 and 3.0.1, when creating an account but marking it as disabled, may overwrite the user password with an uninitialized buffer, which could enable the account with a more easily guessable password.

References

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A827

https://exchange.xforce.ibmcloud.com/vulnerabilities/15132

http://www.vuxml.org/freebsd/3388eff9-5d6e-11d8-80e3-0020ed76ef5a.html

http://www.securityfocus.com/bid/9637

http://www.redhat.com/support/errata/RHSA-2004-064.html

http://www.osvdb.org/3919

http://www.ciac.org/ciac/bulletins/o-078.shtml

http://us1.samba.org/samba/ftp/WHATSNEW-3.0.2a.txt

Details

Source: Mitre, NVD

Published: 2004-03-03

Updated: 2025-04-03

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.02082