Peter Iannucci

**Name of the Vulnerable Software and Affected Versions** OpenAFS versions prior to 1.6.17 **Description** The issue allows remote authenticated users from foreign Kerberos realms to bypass intended access restrictions. This is due to the mishandling of the creator ID in the newEntry function. As a result, attackers can create arbitrary groups as administrators. **Recommendations** For versions prior to 1.6.17, update to version 1.6.17 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** OpenAFS versions prior to 1.4.15 OpenAFS versions 1.6.x prior to 1.6.5 OpenAFS versions 1.7.x prior to 1.7.26 **Description** The issue is related to the use of weak encryption, specifically DES, for Kerberos keys in OpenAFS. This weakness makes it easier for remote attackers to obtain the service key, potentially leading to breaches of confidentiality, integrity, and availability of protected information. The exploitation of these weaknesses can be done remotely. **Recommendations** For OpenAFS versions prior to 1.4.15, update to version 1.4.15 or later. For OpenAFS versions 1.6.x prior to 1.6.5, update to version 1.6.5 or later. For OpenAFS versions 1.7.x prior to 1.7.26, update to version 1.7.26 or later.