{"id":"CVE-2019-14870","details":"All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authentication, by forcing all tickets for these clients to be non-forwardable. In AD this is implemented by a user attribute delegation_not_allowed (aka not-delegated), which translates to disallow-forwardable. However the Samba AD DC does not do that for S4U2Self and does set the forwardable flag even if the impersonated client has the not-delegated flag set.","modified":"2026-04-16T04:33:02.360369351Z","published":"2019-12-10T23:15:10.457Z","related":["SUSE-SU-2019:3318-1","SUSE-SU-2019:3319-1","SUSE-SU-2020:2673-1","openSUSE-SU-2019:2700-1","openSUSE-SU-2023:0019-1","openSUSE-SU-2023:0020-1","openSUSE-SU-2024:11365-1","openSUSE-SU-2024:12580-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PJH3ROOFYMOATD2UEPC47P5RPBDTY77E/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNKA4YIPV7AZR7KK3GW6L3HKGHSGJZFE/"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4217-1/"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4217-2/"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00038.html"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202310-06"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20230216-0008/"},{"type":"ADVISORY","url":"https://www.samba.org/samba/security/CVE-2019-14870.html"},{"type":"ADVISORY","url":"https://www.synology.com/security/advisory/Synology_SA_19_40"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/05/msg00023.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/11/msg00034.html"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202003-52"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20191210-0002/"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14870"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/samba-team/samba","events":[{"introduced":"df33344d8eb40221d60c99931690703a11d91bc2"},{"fixed":"631a49647b76cc203917fa8d32e11ab3935106b3"},{"introduced":"25f2fe02a615e2cf906b6fa495acd8ea0aa9998a"},{"fixed":"d644dfea6f2a55b2c205a4f268372b72a06757d1"},{"introduced":"d60cf580825819f11de9e50ec4c4ce591d695ad9"},{"fixed":"7fc8563c2f6381c0389cdbb8c833e9bb89ec068b"}],"database_specific":{"versions":[{"introduced":"4.0.0"},{"fixed":"4.9.17"},{"introduced":"4.10.0"},{"fixed":"4.10.11"},{"introduced":"4.11.0"},{"fixed":"4.11.3"}]}}],"versions":["ldb-1.5.5","ldb-1.5.6","samba-4.10.0","samba-4.10.1","samba-4.10.10","samba-4.10.6","samba-4.10.7","samba-4.10.9","samba-4.11.0","samba-4.11.1","samba-4.11.2"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"30"}]},{"events":[{"introduced":"0"},{"last_affected":"31"}]},{"events":[{"introduced":"0"},{"last_affected":"14.04"}]},{"events":[{"introduced":"0"},{"last_affected":"16.04"}]},{"events":[{"introduced":"0"},{"last_affected":"18.04"}]},{"events":[{"introduced":"0"},{"last_affected":"19.04"}]},{"events":[{"introduced":"0"},{"last_affected":"19.10"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"15.1"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-14870.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"}]}