CVE-2016-2860
MEDIUMOpenAFS < 1.6.17 - Authenticated Arbitrary Group Creation via Foreign Kerberos Realm
Title source: llmDescription
The newEntry function in ptserver/ptprocs.c in OpenAFS before 1.6.17 allows remote authenticated users from foreign Kerberos realms to bypass intended access restrictions and create arbitrary groups as administrators by leveraging mishandling of the creator ID.
References (5)
Core 5
Core References
Vendor Advisory x_refsource_confirm
http://www.openafs.org/pages/security/OPENAFS-SA-2016-001.txt
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2016/dsa-3569
Various Sources x_refsource_confirm
https://www.openafs.org/dl/openafs/1.6.17/RELNOTES-1.6.17
Various Sources x_refsource_confirm
http://git.openafs.org/?p=openafs.git%3Ba=commitdiff%3Bh=396240cf070a806b91fea81131d034e1399af1e0
Various Sources mailing-list
x_refsource_mlist
https://lists.openafs.org/pipermail/openafs-announce/2016/000496.html
Scores
CVSS v3
6.5
EPSS
0.0150
EPSS Percentile
71.2%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-284
Status
published
Products (2)
debian/debian_linux
8.0
openafs/openafs
< 1.6.16
Published
May 13, 2016
Tracked Since
Feb 18, 2026