As part of the Spotlight protocol, the initial request returns a path associated with the sharename targeted by the RPC request. Samba returns the real server-side share path at this point, as well as returning the absolute server-side path of results in search queries by clients.
This CVE is public now - https://www.samba.org/samba/security/CVE-2023-34968.html.
Created samba tracking bugs for this issue: Affects: fedora-all [bug 2224250]
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:6667 https://access.redhat.com/errata/RHSA-2023:6667
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:7139 https://access.redhat.com/errata/RHSA-2023:7139
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:0423 https://access.redhat.com/errata/RHSA-2024:0423
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:0580 https://access.redhat.com/errata/RHSA-2024:0580