CVE-2014-5030 - OpenCVE

CUPS before 2.0 allows local users to read arbitrary files via a symlink attack on (1) index.html, (2) index.class, (3) index.pl, (4) index.php, (5) index.pyc, or (6) index.py.

No CVSS v3.1

No CVSS v3.0

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:M/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Apple	Cups
Canonical	Ubuntu Linux

Configuration 1 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:10.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:12.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:14.04::::lts:::

Configuration 2 [-]

OR	cpe:2.3:a:apple:cups::::::::
	cpe:2.3:a:apple:cups:1.7:rc1::::::
	cpe:2.3:a:apple:cups:1.7.0:::::::*
	cpe:2.3:a:apple:cups:1.7.1:::::::*
	cpe:2.3:a:apple:cups:1.7.1:b1::::::
	cpe:2.3:a:apple:cups:1.7.2:::::::*
	cpe:2.3:a:apple:cups:1.7.3:::::::*

References

Link	Resource
http://advisories.mageia.org/MGASA-2014-0313.html
http://rhn.redhat.com/errata/RHSA-2014-1388.html
http://secunia.com/advisories/60509
http://secunia.com/advisories/60787
http://www.debian.org/security/2014/dsa-2990
http://www.mandriva.com/security/advisories?name=MDVSA-2015:108
http://www.openwall.com/lists/oss-security/2014/07/22/13
http://www.openwall.com/lists/oss-security/2014/07/22/2
http://www.ubuntu.com/usn/USN-2341-1
https://cups.org/str.php?L4455	Patch Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: debian

Published: 2014-07-29T14:00:00

Updated: 2017-01-04T17:57:01

Reserved: 2014-07-22T00:00:00

Link: CVE-2014-5030

JSON object: View

NVD Information

Status : Modified

Published: 2014-07-29T14:55:07.827

Modified: 2017-01-07T03:00:25.100

Link: CVE-2014-5030

JSON object: View

Redhat Information

No data.

CWE

CWE-59

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2014-07-21T00:00:00", "descriptions": [{"lang": "en", "value": "CUPS before 2.0 allows local users to read arbitrary files via a symlink attack on (1) index.html, (2) index.class, (3) index.pl, (4) index.php, (5) index.pyc, or (6) index.py."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-01-04T17:57:01", "orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5", "shortName": "debian"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://cups.org/str.php?L4455"}, {"name": "USN-2341-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2341-1"}, {"name": "[oss-security] 20140722 Re: CVE Request: cups: Incomplete fix for CVE-2014-3537", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2014/07/22/13"}, {"name": "RHSA-2014:1388", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1388.html"}, {"name": "60787", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/60787"}, {"name": "DSA-2990", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2014/dsa-2990"}, {"name": "[oss-security] 20140722 CVE Request: cups: Incomplete fix for CVE-2014-3537", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2014/07/22/2"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://advisories.mageia.org/MGASA-2014-0313.html"}, {"name": "60509", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/60509"}, {"name": "MDVSA-2015:108", "tags": ["vendor-advisory", "x_refsource_MANDRIVA"], "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:108"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@debian.org", "ID": "CVE-2014-5030", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "CUPS before 2.0 allows local users to read arbitrary files via a symlink attack on (1) index.html, (2) index.class, (3) index.pl, (4) index.php, (5) index.pyc, or (6) index.py."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://cups.org/str.php?L4455", "refsource": "CONFIRM", "url": "https://cups.org/str.php?L4455"}, {"name": "USN-2341-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2341-1"}, {"name": "[oss-security] 20140722 Re: CVE Request: cups: Incomplete fix for CVE-2014-3537", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2014/07/22/13"}, {"name": "RHSA-2014:1388", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2014-1388.html"}, {"name": "60787", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/60787"}, {"name": "DSA-2990", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2014/dsa-2990"}, {"name": "[oss-security] 20140722 CVE Request: cups: Incomplete fix for CVE-2014-3537", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2014/07/22/2"}, {"name": "http://advisories.mageia.org/MGASA-2014-0313.html", "refsource": "CONFIRM", "url": "http://advisories.mageia.org/MGASA-2014-0313.html"}, {"name": "60509", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/60509"}, {"name": "MDVSA-2015:108", "refsource": "MANDRIVA", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:108"}]}}}}, "cveMetadata": {"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5", "assignerShortName": "debian", "cveId": "CVE-2014-5030", "datePublished": "2014-07-29T14:00:00", "dateReserved": "2014-07-22T00:00:00", "dateUpdated": "2017-01-04T17:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:lts:*:*:*", "matchCriteriaId": "5D37DF0F-F863-45AC-853A-3E04F9FEC7CA", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "matchCriteriaId": "B6B7CAD7-9D4E-4FDB-88E3-1E583210A01F", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", "matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apple:cups:*:*:*:*:*:*:*:*", "matchCriteriaId": "FB6B5B62-D4D1-410D-AF80-0855B6D6A2D1", "versionEndIncluding": "1.7.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:apple:cups:1.7:rc1:*:*:*:*:*:*", "matchCriteriaId": "055893FF-4833-4BDC-9C6B-B4BDD0F59942", "vulnerable": true}, {"criteria": "cpe:2.3:a:apple:cups:1.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "F911CF9B-673B-4783-BE33-1D233F75BC1B", "vulnerable": true}, {"criteria": "cpe:2.3:a:apple:cups:1.7.1:*:*:*:*:*:*:*", "matchCriteriaId": "FAD0A09C-DCE7-4873-AC60-68EC747BD1F5", "vulnerable": true}, {"criteria": "cpe:2.3:a:apple:cups:1.7.1:b1:*:*:*:*:*:*", "matchCriteriaId": "54164748-5511-4B90-BD1B-75C0D89532A3", "vulnerable": true}, {"criteria": "cpe:2.3:a:apple:cups:1.7.2:*:*:*:*:*:*:*", "matchCriteriaId": "C950144A-DAAB-4E2E-84A6-9C356CDC8EAC", "vulnerable": true}, {"criteria": "cpe:2.3:a:apple:cups:1.7.3:*:*:*:*:*:*:*", "matchCriteriaId": "9741201D-2223-4593-8463-A0FE313F26F4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "CUPS before 2.0 allows local users to read arbitrary files via a symlink attack on (1) index.html, (2) index.class, (3) index.pl, (4) index.php, (5) index.pyc, or (6) index.py."}, {"lang": "es", "value": "CUPS anterior a 2.0 permite a usuarios locales leer ficheros arbitrarios a trav\u00e9s de un ataque de enlace simb\u00f3lico sobre (1) index.html, (2) index.class, (3) index.pl, (4) index.php, (5) index.pyc o (6) index.py."}], "id": "CVE-2014-5030", "lastModified": "2017-01-07T03:00:25.100", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 1.9, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-07-29T14:55:07.827", "references": [{"source": "security@debian.org", "url": "http://advisories.mageia.org/MGASA-2014-0313.html"}, {"source": "security@debian.org", "url": "http://rhn.redhat.com/errata/RHSA-2014-1388.html"}, {"source": "security@debian.org", "url": "http://secunia.com/advisories/60509"}, {"source": "security@debian.org", "url": "http://secunia.com/advisories/60787"}, {"source": "security@debian.org", "url": "http://www.debian.org/security/2014/dsa-2990"}, {"source": "security@debian.org", "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2015:108"}, {"source": "security@debian.org", "url": "http://www.openwall.com/lists/oss-security/2014/07/22/13"}, {"source": "security@debian.org", "url": "http://www.openwall.com/lists/oss-security/2014/07/22/2"}, {"source": "security@debian.org", "url": "http://www.ubuntu.com/usn/USN-2341-1"}, {"source": "security@debian.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://cups.org/str.php?L4455"}], "sourceIdentifier": "security@debian.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-59"}], "source": "nvd@nist.gov", "type": "Primary"}]}