Alpine: libsmbclient, pam-winbind, multiple samba packages: security update to 4.11.1-r0 (deprecated)

medium Tenable Self-Hosted Container Security Plugin ID 400481

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- A flaw was found in the samba client, all samba versions before samba 4.11.2, 4.10.10 and 4.9.15, where a
malicious server can supply a pathname to the client with separators. This could allow the client to
access files and folders outside of the SMB network pathnames. An attacker could use this vulnerability to
create files outside of the current working directory using the privileges of the client user.
(CVE-2019-10218)

- A flaw was found in Samba, all versions starting samba 4.5.0 before samba 4.9.15, samba 4.10.10, samba
4.11.2, in the way it handles a user password change or a new password for a samba user. The Samba Active
Directory Domain Controller can be configured to use a custom script to check for password complexity.
This configuration can fail to verify password complexity when non-ASCII characters are used in the
password, which could lead to weak passwords being set for samba users, making it vulnerable to dictionary
attacks. (CVE-2019-14833)

See Also

https://git.alpinelinux.org/aports/commit/?id=04ffd24b186af4b064d5c00e85e0536832c29154

https://git.alpinelinux.org/aports/commit/?id=b8c29bc4a15eb1bcdc0504834b34f45348972ae1

Plugin Details

Severity: Medium

ID: 400481

Version: Revision 1.25

Type: Local

Published: 8/16/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

CVSS v2

Risk Factor: Medium

Base Score: 4.9

Temporal Score: 3.6

Vector: CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:N

CVSS Score Source: CVE-2019-14833

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2019-10218

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 11/14/2019

Vulnerability Publication Date: 10/29/2019

Reference Information

CVE: CVE-2019-10218, CVE-2019-14833

IAVA: 2019-A-0407-S