The default configuration in OpenAFS 1.4.x prior to 1.4.4 and 1.5.x prior to 1.5.17 supports setuid programs within the local cell, which might allow malicious users to gain privileges by spoofing a response to an AFS cache manager FetchStatus request, and setting setuid and root ownership for files in the cache.
| Vulnerable Product | Search on Vulmon | Subscribe to Product |
|---|---|---|
openafs openafs 1.5.16 |
||
openafs openafs 1.4.2 |
||
openafs openafs 1.5.7 |
||
openafs openafs 1.5.8 |
||
openafs openafs 1.4.3 |
||
openafs openafs 1.4.4 |
||
openafs openafs 1.5.2 |
||
openafs openafs 1.5.3 |
||
openafs openafs 1.5.11 |
||
openafs openafs 1.5.12 |
||
openafs openafs 1.4.0 |
||
openafs openafs 1.4.1 |
||
openafs openafs 1.5.5 |
||
openafs openafs 1.5.6 |
||
openafs openafs 1.5.13 |
||
openafs openafs 1.5.14 |
||
openafs openafs 1.5.15 |
||
openafs openafs 1.5.0 |
||
openafs openafs 1.5.1 |
||
openafs openafs 1.5.9 |
||
openafs openafs 1.5.10 |
Vulmon