Vulnerability Description
The newEntry function in ptserver/ptprocs.c in OpenAFS before 1.6.17 allows remote authenticated users from foreign Kerberos realms to bypass intended access restrictions and create arbitrary groups as administrators by leveraging mishandling of the creator ID.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openafs | Openafs | <= 1.6.16 |
| Debian | Debian Linux | 8.0 |
Related Weaknesses (CWE)
References
- http://git.openafs.org/?p=openafs.git%3Ba=commitdiff%3Bh=396240cf070a806b91fea81
- http://www.debian.org/security/2016/dsa-3569
- http://www.openafs.org/pages/security/OPENAFS-SA-2016-001.txtVendor Advisory
- https://lists.openafs.org/pipermail/openafs-announce/2016/000496.html
- https://www.openafs.org/dl/openafs/1.6.17/RELNOTES-1.6.17
- http://git.openafs.org/?p=openafs.git%3Ba=commitdiff%3Bh=396240cf070a806b91fea81
- http://www.debian.org/security/2016/dsa-3569
- http://www.openafs.org/pages/security/OPENAFS-SA-2016-001.txtVendor Advisory
- https://lists.openafs.org/pipermail/openafs-announce/2016/000496.html
- https://www.openafs.org/dl/openafs/1.6.17/RELNOTES-1.6.17
FAQ
What is CVE-2016-2860?
CVE-2016-2860 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The newEntry function in ptserver/ptprocs.c in OpenAFS before 1.6.17 allows remote authenticated users from foreign Kerberos realms to bypass intended access restrictions and create arbitrary groups a...
How severe is CVE-2016-2860?
CVE-2016-2860 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-2860?
Check the references section above for vendor advisories and patch information. Affected products include: Openafs Openafs, Debian Debian Linux.