7.5

CVE-2018-16948

EPSS 0.38%
Published 12.09.2018 01:29:00
Last modified 21.11.2024 03:53:34
Source cve@mitre.org
Teams watchlist Login
Open Login

An issue was discovered in OpenAFS before 1.6.23 and 1.8.x before 1.8.2. Several RPC server routines did not fully initialize their output variables before returning, leaking memory contents from both the stack and the heap. Because the OpenAFS cache manager functions as an Rx server for the AFSCB service, clients are also susceptible to information leakage. For example, RXAFSCB_TellMeAboutYourself leaks kernel memory and KAM_ListEntry leaks kaserver memory.

Affected products Warnungen 0 Metrics 3 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Openafs ≫ Openafs Version < 1.6.23

Openafs ≫ Openafs Version >= 1.8.0 < 1.8.2

Debian ≫ Debian Linux Version8.0

Debian ≫ Debian Linux Version9.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.38%	0.584

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://lists.debian.org/debian-lts-announce/2018/09/msg00024.html

Third Party Advisory

https://www.debian.org/security/2018/dsa-4302

Third Party Advisory

http://openafs.org/pages/security/OPENAFS-SA-2018-002.txt

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2018-16948

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-16948

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-16948

EUVD