CVE-2007-1507

high

Description

The default configuration in OpenAFS 1.4.x before 1.4.4 and 1.5.x before 1.5.17 supports setuid programs within the local cell, which might allow attackers to gain privileges by spoofing a response to an AFS cache manager FetchStatus request, and setting setuid and root ownership for files in the cache.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/33180

http://www.vupen.com/english/advisories/2007/1033

http://www.securitytracker.com/id?1017807

http://www.securityfocus.com/bid/23060

http://www.openafs.org/pipermail/openafs-announce/2007/000187.html

http://www.openafs.org/pipermail/openafs-announce/2007/000186.html

http://www.openafs.org/pipermail/openafs-announce/2007/000185.html

http://www.mandriva.com/security/advisories?name=MDKSA-2007:066

http://www.debian.org/security/2007/dsa-1271

http://security.gentoo.org/glsa/glsa-200704-03.xml

http://secunia.com/advisories/24720

http://secunia.com/advisories/24607

http://secunia.com/advisories/24599

http://secunia.com/advisories/24582

Details

Source: Mitre, NVD

Published: 2007-03-20

Updated: 2024-11-21

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 7.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High