CVE-2016-2860

Published: May 13, 2016Modified: May 6, 2026

6.5

Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

The newEntry function in ptserver/ptprocs.c in OpenAFS before 1.6.17 allows remote authenticated users from foreign Kerberos realms to bypass intended access restrictions and create arbitrary groups as administrators by leveraging mishandling of the creator ID.

Affected (2)

Products: Openafs: Openafs · Debian: Debian Linux

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Openafs Openafs	Up to 1.6.16

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 8.0

Related CWEs

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (10)

http://git.openafs.org/?p=openafs.git%3Ba=commitdiff%3Bh=396240cf070a806b91fea81131d034e1399af1e0

Source: cve@mitre.org

http://www.debian.org/security/2016/dsa-3569

Source: cve@mitre.org

http://www.openafs.org/pages/security/OPENAFS-SA-2016-001.txt

Source: cve@mitre.org

Vendor Advisory

https://lists.openafs.org/pipermail/openafs-announce/2016/000496.html

Source: cve@mitre.org

https://www.openafs.org/dl/openafs/1.6.17/RELNOTES-1.6.17

Source: cve@mitre.org

http://git.openafs.org/?p=openafs.git%3Ba=commitdiff%3Bh=396240cf070a806b91fea81131d034e1399af1e0

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.debian.org/security/2016/dsa-3569

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.openafs.org/pages/security/OPENAFS-SA-2016-001.txt

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://lists.openafs.org/pipermail/openafs-announce/2016/000496.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.openafs.org/dl/openafs/1.6.17/RELNOTES-1.6.17

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.