QID 355336

all versions of samba prior to 4.13.16 are vulnerable to a malicious client using an smb1 or nfs race to allow a directory to be created in an area of the server file system not exported under the share definition.
Note that smb1 has to be enabled, or the share also available via nfs in order for this attack to succeed. (
( CVE-2021-43566) samba ad users with permission to write to an account can impersonate arbitrary services (cve-2022-0336) in samba, gnutls gnutls_rnd() can fail and give predictable random values. (
( CVE-2022-1615) a flaw was found in samba.
Some smb1 write requests were not correctly range-checked to ensure the client had sent enough data to fulfill the write, allowing server memory contents to be written into the file (or printer) instead of client-supplied data.
The client cannot control the area of the server memory written to the file (or printer). (
( CVE-2022-32742) samba does not validate the validated-dns-host-name right for the dnshostname attribute which could permit unprivileged users to write it. (
( CVE-2022-32743) a flaw was found in the samba ad ldap server.
The ad dc database audit logging module can access ldap message values freed by a preceding database module, resulting in a use-after-free issue.
This issue is only possible when modifying certain privileged attributes, such as useraccountcontrol. (
( CVE-2022-32746) a heap-based buffer overflow vulnerability was found in samba within the gssapi unwrap_des() and unwrap_des3() routines of heimdal.

Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.