Cross-site Scripting (XSS) Affecting openafs package, versions [,1.4.4)[1.5.0,1.5.17)


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
5.17% (93rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-UNMANAGED-OPENAFS-2381814
  • published26 Jan 2022
  • disclosed20 Mar 2007
  • creditUnknown

Introduced: 20 Mar 2007

CVE-2007-1507  (opens in a new tab)
CWE-16  (opens in a new tab)

How to fix?

Upgrade openafs to version 1.4.4, 1.5.17 or higher.

Overview

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). The default configuration in OpenAFS 1.4.x before 1.4.4 and 1.5.x before 1.5.17 supports setuid programs within the local cell, which might allow attackers to gain privileges by spoofing a response to an AFS cache manager FetchStatus request, and setting setuid and root ownership for files in the cache.

References

CVSS Scores

version 3.1