CVE-2016-2860

The newEntry function in ptserver/ptprocs.c in OpenAFS before 1.6.17 allows remote authenticated users from foreign Kerberos realms to bypass intended access restrictions and create arbitrary groups as administrators by leveraging mishandling of the creator ID.

Published: May 13, 2016
Updated: Apr 13, 2023
CVE: CVE-2016-2860
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CVSS v2:

Severity: Low
Score: 4
AV:N/AC:L/Au:S/C:N/I:P/A:N

CWEs:

CWE-284

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
openafs / openafs	-	1.6.16.x
debian / debian_linux	8.0	8.0.x

http://git.openafs.org/?p=openafs.git;a=commitdiff;h=396240cf070a806b91fea81131d034e1399af1e0
http://git.openafs.org/?p=openafs.git%3Ba=commitdiff%3Bh=396240cf070a806b91fea81131d034e1399af1e0
http://www.debian.org/security/2016/dsa-3569
http://www.openafs.org/pages/security/OPENAFS-SA-2016-001.txt
https://lists.openafs.org/pipermail/openafs-announce/2016/000496.html
https://www.openafs.org/dl/openafs/1.6.17/RELNOTES-1.6.17

Vulnerability Database

289,784

CVE-2016-2860