Executive Summary

Summary
Title New CUPS packages fix information leak
Informations
Name DSA-566 First vendor Publication 2004-10-14
Vendor Debian Last vendor Modification 2004-10-14
Severity (Vendor) N/A Revision 1

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:L/Au:N/C:P/I:N/A:N)
Cvss Base Score 2.1 Attack Range Local
Cvss Impact Score 2.9 Attack Complexity Low
Cvss Expoit Score 3.9 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

An information leak has been detected in CUPS, the Common UNIX Printing System, which may lead to the disclosure of sensitive information, such as user names and passwords which are written into log files.

The used patch only eliminates the authentication information in the device URI which is logged in the error_log file. It does not eliminate the URI from the environment and process table, which is why the CUPS developers recommend that system administrators do not code authentication information in device URIs in the first place.

For the stable distribution (woody) this problem has been fixed in version 1.1.14-5woody7.

For the unstable distribution (sid) this problem has been fixed in version 1.1.20final+rc1-9.

We recommend that you upgrade your CUPS package.

Original Source

Url : http://www.debian.org/security/2004/dsa-566

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:10710
 
Oval ID: oval:org.mitre.oval:def:10710
Title: CUPS 1.1.20 and earlier records authentication information for a device URI in the error_log file, which allows local users to obtain user names and passwords.
Description: CUPS 1.1.20 and earlier records authentication information for a device URI in the error_log file, which allows local users to obtain user names and passwords.
Family: unix Class: vulnerability
Reference(s): CVE-2004-0923
Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Product(s):
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 21
Os 15
Os 15

OpenVAS Exploits

Date Description
2008-09-24 Name : Gentoo Security Advisory GLSA 200410-06 (cups)
File : nvt/glsa_200410_06.nasl
2008-09-04 Name : FreeBSD Ports: cups-base
File : nvt/freebsd_cups-base1.nasl
2008-01-17 Name : Debian Security Advisory DSA 566-1 (cupsys)
File : nvt/deb_566_1.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
11048 CUPS Debugging Local Authentication Credential Disclosure

Cups contains a flaw that may allow a malicious user to view plaintext usernames and passwords, both in the error log and the process list of the affected system. The issue is triggered when a user is authenticated via Samba. It is possible that the flaw may allow users to discover passwords, resulting in a loss of confidentiality.
10499 CUPS Printing Log Password Disclosure

Nessus® Vulnerability Scanner

Date Description
2009-04-23 Name : The remote FreeBSD host is missing a security-related update.
File : freebsd_pkg_30cea6be1d0c11d9814e0001020eed82.nasl - Type : ACT_GATHER_INFO
2004-11-10 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-566.nasl - Type : ACT_GATHER_INFO
2004-11-04 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2004-543.nasl - Type : ACT_GATHER_INFO
2004-10-22 Name : The remote Mandrake Linux host is missing one or more security updates.
File : mandrake_MDKSA-2004-116.nasl - Type : ACT_GATHER_INFO
2004-10-09 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-200410-06.nasl - Type : ACT_GATHER_INFO
2004-10-05 Name : The remote Fedora Core host is missing a security update.
File : fedora_2004-331.nasl - Type : ACT_GATHER_INFO
2004-10-04 Name : The remote host is missing a Mac OS X update that fixes a security issue.
File : macosx_SecUpd20040930.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2014-02-17 11:33:30
  • Multiple Updates