CVE-2016-4536
MEDIUMOpenAFS < 1.6.17 - Information Exposure via Uninitialized RPC Structures
Title source: llmDescription
The client in OpenAFS before 1.6.17 does not properly initialize the (1) AFSStoreStatus, (2) AFSStoreVolumeStatus, (3) VldbListByAttributes, and (4) ListAddrByAttributes structures, which might allow remote attackers to obtain sensitive memory information by leveraging access to RPC call traffic.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://www.openafs.org/pages/security/OPENAFS-SA-2016-002.txt
Vendor Advisory x_refsource_confirm
https://www.openafs.org/dl/openafs/1.6.17/RELNOTES-1.6.17
Vendor Advisory mailing-list
x_refsource_mlist
https://lists.openafs.org/pipermail/openafs-announce/2016/000496.html
Scores
CVSS v3
5.3
EPSS
0.0131
EPSS Percentile
67.1%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (1)
openafs/openafs
< 1.6.16
Published
May 13, 2016
Tracked Since
Feb 18, 2026