{"api_version":"1","generated_at":"2026-04-23T04:09:47+00:00","cve":"CVE-2019-14902","urls":{"html":"https://cve.report/CVE-2019-14902","api":"https://cve.report/api/cve/CVE-2019-14902.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2019-14902","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2019-14902"},"summary":{"title":"CVE-2019-14902","description":"There is an issue in all samba 4.11.x versions before 4.11.5, all samba 4.10.x versions before 4.10.12 and all samba 4.9.x versions before 4.9.18, where the removal of the right to create or modify a subtree would not automatically be taken away on all domain controllers.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2020-01-21 18:15:00","updated_at":"2023-11-07 03:05:00"},"problem_types":["NVD-CWE-noinfo"],"metrics":[],"references":[{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14902","name":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14902","refsource":"CONFIRM","tags":["Issue Tracking","Third Party Advisory"],"title":"1791201 – (CVE-2019-14902) CVE-2019-14902 samba: Replication of ACLs set to inherit down a subtree on AD Directory not automatic","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ACZVNMIFQGGXNJPMHAVBN3H2U65FXQY/","name":"FEDORA-2020-f92cd0e72b","refsource":"","tags":[],"title":"[SECURITY] Fedora 30 Update: samba-4.10.13-0.fc30 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.samba.org/samba/security/CVE-2019-14902.html","name":"https://www.samba.org/samba/security/CVE-2019-14902.html","refsource":"MISC","tags":["Mailing List","Vendor Advisory"],"title":"Samba - Security Announcement Archive","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.debian.org/debian-lts-announce/2023/09/msg00013.html","name":"[debian-lts-announce] 20230914 [SECURITY] [DLA 3563-1] samba security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 3563-1] samba security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.synology.com/security/advisory/Synology_SA_20_01","name":"https://www.synology.com/security/advisory/Synology_SA_20_01","refsource":"CONFIRM","tags":["Third Party Advisory"],"title":"Synology Inc.","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00055.html","name":"openSUSE-SU-2020:0122","refsource":"SUSE","tags":["Third Party Advisory"],"title":"[security-announce] openSUSE-SU-2020:0122-1: moderate: Security update f","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GQ6U65I2K23YJC4FESW477WL55TU3PPT/","name":"FEDORA-2020-6bd386c7eb","refsource":"","tags":[],"title":"[SECURITY] Fedora 31 Update: samba-4.11.6-0.fc31 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GQ6U65I2K23YJC4FESW477WL55TU3PPT/","name":"FEDORA-2020-6bd386c7eb","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 31 Update: samba-4.11.6-0.fc31 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.debian.org/debian-lts-announce/2021/05/msg00023.html","name":"[debian-lts-announce] 20210529 [SECURITY] [DLA 2668-1] samba security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 2668-1] samba security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.gentoo.org/glsa/202003-52","name":"GLSA-202003-52","refsource":"GENTOO","tags":[],"title":"Samba: Multiple vulnerabilities (GLSA 202003-52) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://usn.ubuntu.com/4244-1/","name":"USN-4244-1","refsource":"UBUNTU","tags":["Third Party Advisory"],"title":"USN-4244-1: Samba vulnerabilities | Ubuntu security notices | Ubuntu","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ACZVNMIFQGGXNJPMHAVBN3H2U65FXQY/","name":"FEDORA-2020-f92cd0e72b","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 30 Update: samba-4.10.13-0.fc30 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.netapp.com/advisory/ntap-20200122-0001/","name":"https://security.netapp.com/advisory/ntap-20200122-0001/","refsource":"CONFIRM","tags":["Third Party Advisory"],"title":"January 2020 Samba Vulnerabilities in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2019-14902","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-14902","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2019","cve_id":"14902","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"16.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"14902","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"18.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"14902","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"19.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"14902","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"19.10","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"14902","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"16.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"14902","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"18.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"14902","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"19.04","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"14902","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"canonical","cpe5":"ubuntu_linux","cpe6":"19.10","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"14902","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"14902","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"opensuse","cpe5":"leap","cpe6":"15.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"14902","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"opensuse","cpe5":"leap","cpe6":"15.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"14902","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"samba","cpe5":"samba","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"14902","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"samba","cpe5":"samba","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2019-14902","qid":"178607","title":"Debian Security Update for samba (DLA 2668-1)"},{"cve":"CVE-2019-14902","qid":"296075","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 21.69.0 Missing (CPUAPR2020)"},{"cve":"CVE-2019-14902","qid":"500624","title":"Alpine Linux Security Update for samba"},{"cve":"CVE-2019-14902","qid":"504386","title":"Alpine Linux Security Update for samba"},{"cve":"CVE-2019-14902","qid":"6000093","title":"Debian Security Update for samba (DLA 3563-1)"},{"cve":"CVE-2019-14902","qid":"670882","title":"EulerOS Security Update for samba (EulerOS-SA-2020-2396)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2019-14902","ASSIGNER":"secalert@redhat.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"[UNKNOWN]","product":{"product_data":[{"product_name":"samba","version":{"version_data":[{"version_value":"all samba 4.11.x versions before 4.11.5"},{"version_value":"all samba 4.10.x versions before 4.10.12"},{"version_value":"all samba 4.9.x versions before 4.9.18"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-284"}]}]},"references":{"reference_data":[{"url":"https://www.samba.org/samba/security/CVE-2019-14902.html","refsource":"MISC","name":"https://www.samba.org/samba/security/CVE-2019-14902.html"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14902","name":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14902","refsource":"CONFIRM"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20200122-0001/","url":"https://security.netapp.com/advisory/ntap-20200122-0001/"},{"refsource":"CONFIRM","name":"https://www.synology.com/security/advisory/Synology_SA_20_01","url":"https://www.synology.com/security/advisory/Synology_SA_20_01"},{"refsource":"UBUNTU","name":"USN-4244-1","url":"https://usn.ubuntu.com/4244-1/"},{"refsource":"SUSE","name":"openSUSE-SU-2020:0122","url":"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00055.html"},{"refsource":"FEDORA","name":"FEDORA-2020-6bd386c7eb","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GQ6U65I2K23YJC4FESW477WL55TU3PPT/"},{"refsource":"FEDORA","name":"FEDORA-2020-f92cd0e72b","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ACZVNMIFQGGXNJPMHAVBN3H2U65FXQY/"},{"refsource":"GENTOO","name":"GLSA-202003-52","url":"https://security.gentoo.org/glsa/202003-52"},{"refsource":"MLIST","name":"[debian-lts-announce] 20210529 [SECURITY] [DLA 2668-1] samba security update","url":"https://lists.debian.org/debian-lts-announce/2021/05/msg00023.html"},{"refsource":"MLIST","name":"[debian-lts-announce] 20230914 [SECURITY] [DLA 3563-1] samba security update","url":"https://lists.debian.org/debian-lts-announce/2023/09/msg00013.html"}]},"description":{"description_data":[{"lang":"eng","value":"There is an issue in all samba 4.11.x versions before 4.11.5, all samba 4.10.x versions before 4.10.12 and all samba 4.9.x versions before 4.9.18, where the removal of the right to create or modify a subtree would not automatically be taken away on all domain controllers."}]},"impact":{"cvss":[[{"vectorString":"5.4/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N","version":"3.0"}]]}},"nvd":{"publishedDate":"2020-01-21 18:15:00","lastModifiedDate":"2023-11-07 03:05:00","problem_types":["NVD-CWE-noinfo"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":5.4,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":2.5},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":5.5},"severity":"MEDIUM","exploitabilityScore":8,"impactScore":4.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10.0","versionEndExcluding":"4.10.12","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*","versionStartIncluding":"4.11.0","versionEndExcluding":"4.11.5","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*","versionStartIncluding":"4.0.0","versionEndExcluding":"4.9.18","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2019","CveId":"14902","Ordinal":"154111","Title":"CVE-2019-14902","CVE":"CVE-2019-14902","Year":"2019"},"notes":[{"CveYear":"2019","CveId":"14902","Ordinal":"1","NoteData":"There is an issue in all samba 4.11.x versions before 4.11.5, all samba 4.10.x versions before 4.10.12 and all samba 4.9.x versions before 4.9.18, where the removal of the right to create or modify a subtree would not automatically be taken away on all domain controllers.","Type":"Description","Title":null},{"CveYear":"2019","CveId":"14902","Ordinal":"2","NoteData":"2020-01-21","Type":"Other","Title":"Published"},{"CveYear":"2019","CveId":"14902","Ordinal":"3","NoteData":"2021-05-29","Type":"Other","Title":"Modified"}]}}}