ID

VAR-200501-0313


CVE

CVE-2004-0923


TITLE

CUPS stores user account details in plain text in log file

Trust: 0.8

sources: CERT/CC: VU#557062

DESCRIPTION

CUPS 1.1.20 and earlier records authentication information for a device URI in the error_log file, which allows local users to obtain user names and passwords. When an SMB printer is configured, CUPS stores plain text login information to the log file. CUPS (Common UNIX Printing System) Is SMB When outputting to a shared printer, device URI Included in ID Vulnerabilities exist where passwords are logged in the error log.SMB Host user providing a shared printer ID And you may get a password. CUPS is reported prone to a local password disclosure vulnerability. This issue is reported to present itself when an authenticated user carries out certain methods of remote printing. Reportedly, local attackers can disclose user passwords in the printing system log files. CUPS 1.1.21 and prior are considered vulnerable to this issue. Due to a lack of detail, further information is not available at the moment. This BID will be updated as more information becomes available. SOLUTION: The vulnerability has been fixed in the CVS repository. PROVIDED AND/OR DISCOVERED BY: Gary Smith ORIGINAL ADVISORY: http://www.cups.org/str.php?L920 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet@packetstormsecurity.org ---------------------------------------------------------------------- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200410-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: CUPS: Leakage of sensitive information Date: October 09, 2004 Bugs: #66501 ID: 200410-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== CUPS leaks information about user names and passwords when using remote printing to SMB-shared printers which require authentication. Background ========== The Common UNIX Printing System (CUPS) is a cross-platform print spooler. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-print/cups <= 1.1.20-r2 *>= 1.1.20-r3 == 1.1.21 >= 1.1.21-r1 Description =========== When printing to a SMB-shared printer requiring authentication, CUPS leaks the user name and password to a logfile. Impact ====== A local user could gain knowledge of sensitive authentication data. Workaround ========== There is no known workaround at this time. Resolution ========== All CUPS users should upgrade to the latest version: # emerge sync # emerge -pv ">=net-print/cups-1.1.20-r3" # emerge ">=net-print/cups-1.1.20-r3" References ========== [ 1 ] CAN-2004-0923 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0923 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200410-06.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2004 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/1.0

Trust: 2.88

sources: NVD: CVE-2004-0923 // CERT/CC: VU#557062 // JVNDB: JVNDB-2004-000409 // BID: 11324 // VULHUB: VHN-9353 // PACKETSTORM: 34600 // PACKETSTORM: 34623

AFFECTED PRODUCTS

vendor:easy productsmodel:cupsscope:eqversion:1.1.4

Trust: 1.6

vendor:applemodel:mac os x serverscope:eqversion:10.2.8

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.2.6

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.2.5

Trust: 1.0

vendor:applemodel:mac os x serverscope:eqversion:10.2.5

Trust: 1.0

vendor:easy productsmodel:cupsscope:eqversion:1.1.12

Trust: 1.0

vendor:applemodel:mac os x serverscope:eqversion:10.2.6

Trust: 1.0

vendor:easy productsmodel:cupsscope:eqversion:1.1.14

Trust: 1.0

vendor:easy productsmodel:cupsscope:eqversion:1.1.4_3

Trust: 1.0

vendor:easy productsmodel:cupsscope:eqversion:1.1.16

Trust: 1.0

vendor:easy productsmodel:cupsscope:eqversion:1.1.20

Trust: 1.0

vendor:easy productsmodel:cupsscope:eqversion:1.0.4_8

Trust: 1.0

vendor:easy productsmodel:cupsscope:eqversion:1.1.1

Trust: 1.0

vendor:easy productsmodel:cupsscope:eqversion:1.1.13

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.2.1

Trust: 1.0

vendor:applemodel:mac os x serverscope:eqversion:10.2.1

Trust: 1.0

vendor:easy productsmodel:cupsscope:eqversion:1.1.17

Trust: 1.0

vendor:easy productsmodel:cupsscope:eqversion:1.1.4_5

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.3.1

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.2.4

Trust: 1.0

vendor:applemodel:mac os x serverscope:eqversion:10.2.4

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.2.3

Trust: 1.0

vendor:applemodel:mac os x serverscope:eqversion:10.2.3

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.3.5

Trust: 1.0

vendor:easy productsmodel:cupsscope:eqversion:1.1.7

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.3.4

Trust: 1.0

vendor:applemodel:mac os x serverscope:eqversion:10.3.1

Trust: 1.0

vendor:applemodel:mac os x serverscope:eqversion:10.3.4

Trust: 1.0

vendor:applemodel:mac os x serverscope:eqversion:10.3.5

Trust: 1.0

vendor:easy productsmodel:cupsscope:eqversion:1.1.18

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.2.2

Trust: 1.0

vendor:easy productsmodel:cupsscope:eqversion:1.1.6

Trust: 1.0

vendor:easy productsmodel:cupsscope:eqversion:1.1.10

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.2.7

Trust: 1.0

vendor:easy productsmodel:cupsscope:eqversion:1.1.21

Trust: 1.0

vendor:applemodel:mac os x serverscope:eqversion:10.2.2

Trust: 1.0

vendor:easy productsmodel:cupsscope:eqversion:1.1.4_2

Trust: 1.0

vendor:applemodel:mac os x serverscope:eqversion:10.2.7

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.3.3

Trust: 1.0

vendor:easy productsmodel:cupsscope:eqversion:1.1.15

Trust: 1.0

vendor:easy productsmodel:cupsscope:eqversion:1.1.19

Trust: 1.0

vendor:easy productsmodel:cupsscope:eqversion:1.0.4

Trust: 1.0

vendor:applemodel:mac os x serverscope:eqversion:10.3.3

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.3

Trust: 1.0

vendor:applemodel:mac os x serverscope:eqversion:10.3

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.2

Trust: 1.0

vendor:applemodel:mac os x serverscope:eqversion:10.2

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.3.2

Trust: 1.0

vendor:applemodel:mac os x serverscope:eqversion:10.3.2

Trust: 1.0

vendor:easy productsmodel:cupsscope:eqversion:1.1.19_rc5

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.2.8

Trust: 1.0

vendor:debianmodel: - scope: - version: -

Trust: 0.8

vendor:mandrakesoftmodel: - scope: - version: -

Trust: 0.8

vendor:cybertrustmodel:asianux serverscope:eqversion:3.0

Trust: 0.8

vendor:red hatmodel:enterprise linuxscope:eqversion:3 (as)

Trust: 0.8

vendor:red hatmodel:enterprise linuxscope:eqversion:3 (es)

Trust: 0.8

vendor:red hatmodel:enterprise linuxscope:eqversion:3 (ws)

Trust: 0.8

vendor:redhatmodel:linux i386scope:eqversion:9.0

Trust: 0.3

vendor:redhatmodel:linux i386scope:eqversion:7.3

Trust: 0.3

vendor:redhatmodel:fedora core1scope: - version: -

Trust: 0.3

vendor:easymodel:software products cupsscope:eqversion:1.1.21

Trust: 0.3

vendor:easymodel:software products cupsscope:eqversion:1.1.20

Trust: 0.3

vendor:easymodel:software products cups rc5scope:eqversion:1.1.19

Trust: 0.3

vendor:easymodel:software products cupsscope:eqversion:1.1.19

Trust: 0.3

vendor:easymodel:software products cupsscope:eqversion:1.1.18

Trust: 0.3

vendor:easymodel:software products cupsscope:eqversion:1.1.17

Trust: 0.3

vendor:easymodel:software products cupsscope:eqversion:1.1.16

Trust: 0.3

vendor:easymodel:software products cupsscope:eqversion:1.1.15

Trust: 0.3

vendor:easymodel:software products cupsscope:eqversion:1.1.14

Trust: 0.3

vendor:easymodel:software products cupsscope:eqversion:1.1.13

Trust: 0.3

vendor:easymodel:software products cupsscope:eqversion:1.1.12

Trust: 0.3

vendor:easymodel:software products cupsscope:eqversion:1.1.10

Trust: 0.3

vendor:easymodel:software products cupsscope:eqversion:1.1.7

Trust: 0.3

vendor:easymodel:software products cupsscope:eqversion:1.1.6

Trust: 0.3

vendor:easymodel:software products cupsscope:eqversion:1.1.4-5

Trust: 0.3

vendor:easymodel:software products cupsscope:eqversion:1.1.4-3

Trust: 0.3

vendor:easymodel:software products cupsscope:eqversion:1.1.4-2

Trust: 0.3

vendor:easymodel:software products cupsscope:eqversion:1.1.4

Trust: 0.3

vendor:easymodel:software products cupsscope:eqversion:1.1.1

Trust: 0.3

vendor:easymodel:software products cupsscope:eqversion:1.0.4-8

Trust: 0.3

vendor:easymodel:software products cupsscope:eqversion:1.0.4

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.5

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.4

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.2

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.2.8

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.2.7

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.2.6

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.2.5

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.2.4

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.2.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.2.2

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.2.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.2.8

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.2.7

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.2.6

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.2.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.2.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.2.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.2.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.2.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.2

Trust: 0.3

vendor:easymodel:software products cups rc1scope:neversion:1.1.22

Trust: 0.3

sources: CERT/CC: VU#557062 // BID: 11324 // JVNDB: JVNDB-2004-000409 // CNNVD: CNNVD-200501-299 // NVD: CVE-2004-0923

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2004-0923
value: LOW

Trust: 1.0

CARNEGIE MELLON: VU#557062
value: 5.06

Trust: 0.8

NVD: CVE-2004-0923
value: LOW

Trust: 0.8

CNNVD: CNNVD-200501-299
value: LOW

Trust: 0.6

VULHUB: VHN-9353
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2004-0923
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-9353
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CERT/CC: VU#557062 // VULHUB: VHN-9353 // JVNDB: JVNDB-2004-000409 // CNNVD: CNNVD-200501-299 // NVD: CVE-2004-0923

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2004-0923

THREAT TYPE

local

Trust: 1.0

sources: BID: 11324 // PACKETSTORM: 34600 // CNNVD: CNNVD-200501-299

TYPE

Design Error

Trust: 0.9

sources: BID: 11324 // CNNVD: CNNVD-200501-299

CONFIGURATIONS

sources: JVNDB: JVNDB-2004-000409

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-9353

PATCH

title:cupsurl:http://www.miraclelinux.com/support/update/data/cups.html

Trust: 0.8

title:RHSA-2004:543url:https://rhn.redhat.com/errata/RHSA-2004-543.html

Trust: 0.8

title:RHSA-2004:543url:http://www.jp.redhat.com/support/errata/RHSA/RHSA-2004-543J.html

Trust: 0.8

sources: JVNDB: JVNDB-2004-000409

EXTERNAL IDS

db:CERT/CCid:VU#557062

Trust: 3.3

db:NVDid:CVE-2004-0923

Trust: 2.9

db:BIDid:11324

Trust: 2.8

db:SECUNIAid:12736

Trust: 1.7

db:XFid:17593

Trust: 1.4

db:SECTRACKid:1011529

Trust: 0.8

db:JVNDBid:JVNDB-2004-000409

Trust: 0.8

db:CNNVDid:CNNVD-200501-299

Trust: 0.7

db:REDHATid:RHSA-2004:543

Trust: 0.6

db:APPLEid:APPLE-SA-2004-09-30

Trust: 0.6

db:DEBIANid:DSA-566

Trust: 0.6

db:MANDRAKEid:MDKSA-2004:116

Trust: 0.6

db:CIACid:P-002

Trust: 0.6

db:PACKETSTORMid:34623

Trust: 0.2

db:VULHUBid:VHN-9353

Trust: 0.1

db:PACKETSTORMid:34600

Trust: 0.1

sources: CERT/CC: VU#557062 // VULHUB: VHN-9353 // BID: 11324 // JVNDB: JVNDB-2004-000409 // PACKETSTORM: 34600 // PACKETSTORM: 34623 // CNNVD: CNNVD-200501-299 // NVD: CVE-2004-0923

REFERENCES

url:http://www.securityfocus.com/bid/11324

Trust: 2.5

url:http://www.kb.cert.org/vuls/id/557062

Trust: 2.5

url:http://secunia.com/advisories/12736/

Trust: 1.7

url:http://lists.apple.com/archives/security-announce/2004/oct/msg00000.html

Trust: 1.7

url:http://www.ciac.org/ciac/bulletins/p-002.shtml

Trust: 1.7

url:http://www.debian.org/security/2004/dsa-566

Trust: 1.7

url:http://www.mandriva.com/security/advisories?name=mdksa-2004:116

Trust: 1.7

url:http://www.redhat.com/support/errata/rhsa-2004-543.html

Trust: 1.7

url:http://xforce.iss.net/xforce/xfdb/17593

Trust: 1.4

url:https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a10710

Trust: 1.1

url:https://exchange.xforce.ibmcloud.com/vulnerabilities/17593

Trust: 1.1

url:http://www.securitytracker.com/alerts/2004/oct/1011529.html

Trust: 0.8

url:http://fedoranews.org/updates/fedora-2004-331.shtml

Trust: 0.8

url:http://www.cups.org/ssr.html

Trust: 0.8

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2004-0923

Trust: 0.8

url:http://jvn.jp/cert/jvnvu%23557062

Trust: 0.8

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2004-0923

Trust: 0.8

url:http://www.cups.org/str.php?l920

Trust: 0.4

url:http://www.cups.org

Trust: 0.3

url:http://rhn.redhat.com/errata/rhsa-2004-543.html

Trust: 0.3

url:http://secunia.com/secunia_security_advisories/

Trust: 0.1

url:http://secunia.com/product/921/

Trust: 0.1

url:http://secunia.com/sec_adv_unsubscribe/?email=packet@packetstormsecurity.org

Trust: 0.1

url:http://secunia.com/about_secunia_advisories/

Trust: 0.1

url:http://bugs.gentoo.org.

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2004-0923

Trust: 0.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=can-2004-0923

Trust: 0.1

url:http://creativecommons.org/licenses/by-sa/1.0

Trust: 0.1

url:http://security.gentoo.org/

Trust: 0.1

url:http://security.gentoo.org/glsa/glsa-200410-06.xml

Trust: 0.1

sources: CERT/CC: VU#557062 // VULHUB: VHN-9353 // BID: 11324 // JVNDB: JVNDB-2004-000409 // PACKETSTORM: 34600 // PACKETSTORM: 34623 // CNNVD: CNNVD-200501-299 // NVD: CVE-2004-0923

CREDITS

Discovery is credited to Gary Smith.

Trust: 0.9

sources: BID: 11324 // CNNVD: CNNVD-200501-299

SOURCES

db:CERT/CCid:VU#557062
db:VULHUBid:VHN-9353
db:BIDid:11324
db:JVNDBid:JVNDB-2004-000409
db:PACKETSTORMid:34600
db:PACKETSTORMid:34623
db:CNNVDid:CNNVD-200501-299
db:NVDid:CVE-2004-0923

LAST UPDATE DATE

2024-08-14T12:34:06.243000+00:00


SOURCES UPDATE DATE

db:CERT/CCid:VU#557062date:2004-12-17T00:00:00
db:VULHUBid:VHN-9353date:2017-10-11T00:00:00
db:BIDid:11324date:2009-07-12T07:06:00
db:JVNDBid:JVNDB-2004-000409date:2007-04-01T00:00:00
db:CNNVDid:CNNVD-200501-299date:2005-10-20T00:00:00
db:NVDid:CVE-2004-0923date:2017-10-11T01:29:37.810

SOURCES RELEASE DATE

db:CERT/CCid:VU#557062date:2004-11-19T00:00:00
db:VULHUBid:VHN-9353date:2005-01-27T00:00:00
db:BIDid:11324date:2004-10-04T00:00:00
db:JVNDBid:JVNDB-2004-000409date:2007-04-01T00:00:00
db:PACKETSTORMid:34600date:2004-10-13T04:33:44
db:PACKETSTORMid:34623date:2004-10-13T07:15:20
db:CNNVDid:CNNVD-200501-299date:2005-01-27T00:00:00
db:NVDid:CVE-2004-0923date:2005-01-27T05:00:00