CVE-2024-10396
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
An authenticated user can provide a malformed ACL to the fileserver's StoreACL RPC, causing the fileserver to crash, possibly expose uninitialized memory, and possibly store garbage data in the audit log. Malformed ACLs provided in responses to client FetchACL RPCs can cause client processes to crash and possibly expose uninitialized memory into other ACLs stored on the server.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| The OpenAFS Foundation | OpenAFS | 1.0 < 1.6.24 | affected |
| The OpenAFS Foundation | OpenAFS | 1.8.0 < 1.8.12.2 | affected |
| The OpenAFS Foundation | OpenAFS | 1.9.0 < 1.9.1 | affected |
Weaknesses
- CWE-772: CWE-772 Missing Release of Resource after Effective Lifetime
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.