CVE-2007-1507

The default configuration in OpenAFS 1.4.x before 1.4.4 and 1.5.x before 1.5.17 supports setuid programs within the local cell, which might allow attackers to gain privileges by spoofing a response to an AFS cache manager FetchStatus request, and setting setuid and root ownership for files in the cache.

Published: Mar 20, 2007
Updated: Nov 9, 2025
CVE: CVE-2007-1507
Severity: High
Exploit:

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-16

OWASP TOP 10:

A6 - Security Misconfiguration

Affected Software
References

Software	From	Fixed in
openafs / openafs	1.4.4	1.4.4.x
openafs / openafs	1.4.3	1.4.3.x
openafs / openafs	1.4.0	1.4.0.x
openafs / openafs	1.5.6	1.5.6.x
openafs / openafs	1.4.2	1.4.2.x
openafs / openafs	1.5.13	1.5.13.x
openafs / openafs	1.5.3	1.5.3.x
openafs / openafs	1.5.5	1.5.5.x
openafs / openafs	1.5.12	1.5.12.x
openafs / openafs	1.5.1	1.5.1.x
openafs / openafs	1.5.15	1.5.15.x
openafs / openafs	1.5.8	1.5.8.x
openafs / openafs	1.5.16	1.5.16.x
openafs / openafs	1.5.14	1.5.14.x
openafs / openafs	1.5.9	1.5.9.x
openafs / openafs	1.5.10	1.5.10.x
openafs / openafs	1.5.0	1.5.0.x
openafs / openafs	1.5.2	1.5.2.x
openafs / openafs	1.4.1	1.4.1.x
openafs / openafs	1.5.11	1.5.11.x
openafs / openafs	1.5.7	1.5.7.x

Vulnerability Database

314,615

CVE-2007-1507

Deep Security Visibility Without the Complexity