CVE-2016-2860

MEDIUM

Openafs < 1.6.16 - Improper Access Control

Title source: rule

Description

The newEntry function in ptserver/ptprocs.c in OpenAFS before 1.6.17 allows remote authenticated users from foreign Kerberos realms to bypass intended access restrictions and create arbitrary groups as administrators by leveraging mishandling of the creator ID.

References (5)

[Various Sources] http://git.openafs.org/?p=openafs.git%3Ba=commitdiff%3Bh=396240cf070a806b91fea81131d034e1399af1e0

[Various Sources] https://lists.openafs.org/pipermail/openafs-announce/2016/000496.html

[Various Sources] https://www.openafs.org/dl/openafs/1.6.17/RELNOTES-1.6.17

[Vendor Advisory] http://www.openafs.org/pages/security/OPENAFS-SA-2016-001.txt

[Third Party Advisory] http://www.debian.org/security/2016/dsa-3569

Scores

CVSS v3 6.5

EPSS 0.0025

EPSS Percentile 48.3%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Classification

CWE

CWE-284

Status draft

Affected Products (2)

openafs/openafs < 1.6.16

debian/debian_linux

Timeline

Published May 13, 2016

Tracked Since Feb 18, 2026