Executive Summary
Summary | |
---|---|
Title | New CUPS packages fix information leak |
Informations | |||
---|---|---|---|
Name | DSA-566 | First vendor Publication | 2004-10-14 |
Vendor | Debian | Last vendor Modification | 2004-10-14 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:L/AC:L/Au:N/C:P/I:N/A:N) | |||
---|---|---|---|
Cvss Base Score | 2.1 | Attack Range | Local |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 3.9 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
An information leak has been detected in CUPS, the Common UNIX Printing System, which may lead to the disclosure of sensitive information, such as user names and passwords which are written into log files. The used patch only eliminates the authentication information in the device URI which is logged in the error_log file. It does not eliminate the URI from the environment and process table, which is why the CUPS developers recommend that system administrators do not code authentication information in device URIs in the first place. For the stable distribution (woody) this problem has been fixed in version 1.1.14-5woody7. For the unstable distribution (sid) this problem has been fixed in version 1.1.20final+rc1-9. We recommend that you upgrade your CUPS package. |
Original Source
Url : http://www.debian.org/security/2004/dsa-566 |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:10710 | |||
Oval ID: | oval:org.mitre.oval:def:10710 | ||
Title: | CUPS 1.1.20 and earlier records authentication information for a device URI in the error_log file, which allows local users to obtain user names and passwords. | ||
Description: | CUPS 1.1.20 and earlier records authentication information for a device URI in the error_log file, which allows local users to obtain user names and passwords. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2004-0923 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 | Product(s): | |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2008-09-24 | Name : Gentoo Security Advisory GLSA 200410-06 (cups) File : nvt/glsa_200410_06.nasl |
2008-09-04 | Name : FreeBSD Ports: cups-base File : nvt/freebsd_cups-base1.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 566-1 (cupsys) File : nvt/deb_566_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
11048 | CUPS Debugging Local Authentication Credential Disclosure Cups contains a flaw that may allow a malicious user to view plaintext usernames and passwords, both in the error log and the process list of the affected system. The issue is triggered when a user is authenticated via Samba. It is possible that the flaw may allow users to discover passwords, resulting in a loss of confidentiality. |
10499 | CUPS Printing Log Password Disclosure |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2009-04-23 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_30cea6be1d0c11d9814e0001020eed82.nasl - Type : ACT_GATHER_INFO |
2004-11-10 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-566.nasl - Type : ACT_GATHER_INFO |
2004-11-04 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2004-543.nasl - Type : ACT_GATHER_INFO |
2004-10-22 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2004-116.nasl - Type : ACT_GATHER_INFO |
2004-10-09 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200410-06.nasl - Type : ACT_GATHER_INFO |
2004-10-05 | Name : The remote Fedora Core host is missing a security update. File : fedora_2004-331.nasl - Type : ACT_GATHER_INFO |
2004-10-04 | Name : The remote host is missing a Mac OS X update that fixes a security issue. File : macosx_SecUpd20040930.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:33:30 |
|