CVE-2016-2860

MEDIUM

OpenAFS < 1.6.17 - Authenticated Arbitrary Group Creation via Foreign Kerberos Realm

Title source: llm
STIX 2.1

Description

The newEntry function in ptserver/ptprocs.c in OpenAFS before 1.6.17 allows remote authenticated users from foreign Kerberos realms to bypass intended access restrictions and create arbitrary groups as administrators by leveraging mishandling of the creator ID.

References (5)

Core 5
Core References
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2016/dsa-3569
Various Sources x_refsource_confirm
https://www.openafs.org/dl/openafs/1.6.17/RELNOTES-1.6.17
Various Sources mailing-list x_refsource_mlist
https://lists.openafs.org/pipermail/openafs-announce/2016/000496.html

Scores

CVSS v3 6.5
EPSS 0.0150
EPSS Percentile 71.2%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Details

CWE
CWE-284
Status published
Products (2)
debian/debian_linux 8.0
openafs/openafs < 1.6.16
Published May 13, 2016
Tracked Since Feb 18, 2026