A local user can bypass the OpenAFS PAG (Process Authentication Group)
throttling mechanism in Unix clients, allowing the user to create a PAG using
an existing id number, effectively joining the PAG and letting the user steal
the credentials in that PAG.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Thu, 07 Aug 2025 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openafs:openafs:*:*:*:*:*:*:*:*
cpe:2.3:a:openafs:openafs:1.9.0:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00042}

epss

{'score': 0.00035}


Fri, 22 Nov 2024 12:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 0.0, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N'}


Tue, 19 Nov 2024 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 0, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 14 Nov 2024 19:30:00 +0000

Type Values Removed Values Added
Description A local user can bypass the OpenAFS PAG (Process Authentication Group) throttling mechanism in Unix clients, allowing the user to create a PAG using an existing id number, effectively joining the PAG and letting the user steal the credentials in that PAG.
Title A local user can bypass the OpenAFS PAG (Process Authentication Group) throttling mechanism in Unix client
Weaknesses CWE-190
References
Metrics cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: fedora

Published:

Updated: 2024-11-21T16:11:52.222Z

Reserved: 2024-10-25T18:51:34.290Z

Link: CVE-2024-10394

cve-icon Vulnrichment

Updated: 2024-11-19T15:59:36.199Z

cve-icon NVD

Status : Analyzed

Published: 2024-11-14T20:15:20.777

Modified: 2025-08-07T18:58:16.823

Link: CVE-2024-10394

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-07-12T16:01:21Z