Cyber Resilience

CVE-2021-20254

Medium

Published: 05 May 2021

Published
05 May 2021
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 6.8 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0176 83.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-20254 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Samba Samba. Its CVSS base score is 6.8 (Medium).

Operationally, ranked in the top 17.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

A flaw was found in samba. The Samba smbd file server must map Windows group identities (SIDs) into unix group ids (gids). The code that performs this had a flaw that could allow it to read data beyond the end…

more

of the array in the case where a negative cache entry had been added to the mapping cache. This could cause the calling code to return those values into the process token that stores the group membership for a user. The highest threat from this vulnerability is to data confidentiality and integrity.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

samba
samba
3.6.0 — 4.12.15 · 4.13.0 — 4.13.8 · 4.14.0 — 4.14.4
fedoraproject
fedora
32, 33
redhat
enterprise linux
7.0, 8.0
debian
debian linux
9.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References