Sign-up

ID

VAR-201404-0441


CVE

CVE-2014-2856


TITLE

Common Unix Printing System of scheduler/client.c Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2014-002191

DESCRIPTION

Cross-site scripting (XSS) vulnerability in scheduler/client.c in Common Unix Printing System (CUPS) before 1.7.2 allows remote attackers to inject arbitrary web script or HTML via the URL path, related to the is_path_absolute function. CUPS is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. CUPS 1.6.4 is vulnerable; other versions may also be affected. The system is based on the Internet Printing Protocol (IPP) and provides most PostScript and raster printer services. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: cups security and bug fix update Advisory ID: RHSA-2014:1388-02 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1388.html Issue date: 2014-10-14 CVE Names: CVE-2014-2856 CVE-2014-3537 CVE-2014-5029 CVE-2014-5030 CVE-2014-5031 ===================================================================== 1. Summary: Updated cups packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: CUPS provides a portable printing layer for Linux, UNIX, and similar operating systems. An attacker could use this flaw to perform a cross-site scripting attack against users of the CUPS web interface. (CVE-2014-2856) It was discovered that CUPS allowed certain users to create symbolic links in certain directories under /var/cache/cups/. A local user with the 'lp' group privileges could use this flaw to read the contents of arbitrary files on the system or, potentially, escalate their privileges on the system. (CVE-2014-3537, CVE-2014-5029, CVE-2014-5030, CVE-2014-5031) The CVE-2014-3537 issue was discovered by Francisco Alonso of Red Hat Product Security. These updated cups packages also include several bug fixes. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 6.6 Technical Notes, linked to in the References section, for information on the most significant of these changes. All cups users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the cupsd daemon will be restarted automatically. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 978387 - Bad IPP responses with version 2.0 (collection handling bug) 1012482 - /etc/cron.daily/cups breaks rule GEN003080 in Red Hat security guide 1087122 - CVE-2014-2856 cups: cross-site scripting flaw fixed in the 1.7.2 release 1115576 - CVE-2014-3537 cups: insufficient checking leads to privilege escalation 1122600 - CVE-2014-5029 cups: Incomplete fix for CVE-2014-3537 1128764 - CVE-2014-5030 cups: allows local users to read arbitrary files via a symlink attack 1128767 - CVE-2014-5031 cups: world-readable permissions 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: cups-1.4.2-67.el6.src.rpm i386: cups-1.4.2-67.el6.i686.rpm cups-debuginfo-1.4.2-67.el6.i686.rpm cups-libs-1.4.2-67.el6.i686.rpm cups-lpd-1.4.2-67.el6.i686.rpm x86_64: cups-1.4.2-67.el6.x86_64.rpm cups-debuginfo-1.4.2-67.el6.i686.rpm cups-debuginfo-1.4.2-67.el6.x86_64.rpm cups-libs-1.4.2-67.el6.i686.rpm cups-libs-1.4.2-67.el6.x86_64.rpm cups-lpd-1.4.2-67.el6.x86_64.rpm Red Hat Enterprise Linux Desktop Optional (v. 6): i386: cups-debuginfo-1.4.2-67.el6.i686.rpm cups-devel-1.4.2-67.el6.i686.rpm cups-php-1.4.2-67.el6.i686.rpm x86_64: cups-debuginfo-1.4.2-67.el6.i686.rpm cups-debuginfo-1.4.2-67.el6.x86_64.rpm cups-devel-1.4.2-67.el6.i686.rpm cups-devel-1.4.2-67.el6.x86_64.rpm cups-php-1.4.2-67.el6.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: cups-1.4.2-67.el6.src.rpm x86_64: cups-1.4.2-67.el6.x86_64.rpm cups-debuginfo-1.4.2-67.el6.i686.rpm cups-debuginfo-1.4.2-67.el6.x86_64.rpm cups-libs-1.4.2-67.el6.i686.rpm cups-libs-1.4.2-67.el6.x86_64.rpm cups-lpd-1.4.2-67.el6.x86_64.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): x86_64: cups-debuginfo-1.4.2-67.el6.i686.rpm cups-debuginfo-1.4.2-67.el6.x86_64.rpm cups-devel-1.4.2-67.el6.i686.rpm cups-devel-1.4.2-67.el6.x86_64.rpm cups-php-1.4.2-67.el6.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: cups-1.4.2-67.el6.src.rpm i386: cups-1.4.2-67.el6.i686.rpm cups-debuginfo-1.4.2-67.el6.i686.rpm cups-devel-1.4.2-67.el6.i686.rpm cups-libs-1.4.2-67.el6.i686.rpm cups-lpd-1.4.2-67.el6.i686.rpm ppc64: cups-1.4.2-67.el6.ppc64.rpm cups-debuginfo-1.4.2-67.el6.ppc.rpm cups-debuginfo-1.4.2-67.el6.ppc64.rpm cups-devel-1.4.2-67.el6.ppc.rpm cups-devel-1.4.2-67.el6.ppc64.rpm cups-libs-1.4.2-67.el6.ppc.rpm cups-libs-1.4.2-67.el6.ppc64.rpm cups-lpd-1.4.2-67.el6.ppc64.rpm s390x: cups-1.4.2-67.el6.s390x.rpm cups-debuginfo-1.4.2-67.el6.s390.rpm cups-debuginfo-1.4.2-67.el6.s390x.rpm cups-devel-1.4.2-67.el6.s390.rpm cups-devel-1.4.2-67.el6.s390x.rpm cups-libs-1.4.2-67.el6.s390.rpm cups-libs-1.4.2-67.el6.s390x.rpm cups-lpd-1.4.2-67.el6.s390x.rpm x86_64: cups-1.4.2-67.el6.x86_64.rpm cups-debuginfo-1.4.2-67.el6.i686.rpm cups-debuginfo-1.4.2-67.el6.x86_64.rpm cups-devel-1.4.2-67.el6.i686.rpm cups-devel-1.4.2-67.el6.x86_64.rpm cups-libs-1.4.2-67.el6.i686.rpm cups-libs-1.4.2-67.el6.x86_64.rpm cups-lpd-1.4.2-67.el6.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 6): i386: cups-debuginfo-1.4.2-67.el6.i686.rpm cups-php-1.4.2-67.el6.i686.rpm ppc64: cups-debuginfo-1.4.2-67.el6.ppc64.rpm cups-php-1.4.2-67.el6.ppc64.rpm s390x: cups-debuginfo-1.4.2-67.el6.s390x.rpm cups-php-1.4.2-67.el6.s390x.rpm x86_64: cups-debuginfo-1.4.2-67.el6.x86_64.rpm cups-php-1.4.2-67.el6.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: cups-1.4.2-67.el6.src.rpm i386: cups-1.4.2-67.el6.i686.rpm cups-debuginfo-1.4.2-67.el6.i686.rpm cups-devel-1.4.2-67.el6.i686.rpm cups-libs-1.4.2-67.el6.i686.rpm cups-lpd-1.4.2-67.el6.i686.rpm x86_64: cups-1.4.2-67.el6.x86_64.rpm cups-debuginfo-1.4.2-67.el6.i686.rpm cups-debuginfo-1.4.2-67.el6.x86_64.rpm cups-devel-1.4.2-67.el6.i686.rpm cups-devel-1.4.2-67.el6.x86_64.rpm cups-libs-1.4.2-67.el6.i686.rpm cups-libs-1.4.2-67.el6.x86_64.rpm cups-lpd-1.4.2-67.el6.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): i386: cups-debuginfo-1.4.2-67.el6.i686.rpm cups-php-1.4.2-67.el6.i686.rpm x86_64: cups-debuginfo-1.4.2-67.el6.x86_64.rpm cups-php-1.4.2-67.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2014-2856.html https://www.redhat.com/security/data/cve/CVE-2014-3537.html https://www.redhat.com/security/data/cve/CVE-2014-5029.html https://www.redhat.com/security/data/cve/CVE-2014-5030.html https://www.redhat.com/security/data/cve/CVE-2014-5031.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/6.6_Technical_Notes/cups.html#RHSA-2014-1388 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFUPKsIXlSAg2UNWIIRApSvAJ9WxP5yQ+v5GDRGnSINYq0Pro0AoQCfXZqW WjIIQcBG+Sou8Is2vIFlLok= =5S/K -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . It was discovered that the web interface in CUPS incorrectly validated permissions on rss files and directory index files. A malformed file with an invalid page header and compressed raster data can trigger a buffer overflow in cupsRasterReadPixels (CVE-2014-9679). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2856 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3537 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5029 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5030 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5031 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9679 http://advisories.mageia.org/MGASA-2014-0193.html http://advisories.mageia.org/MGASA-2014-0313.html http://advisories.mageia.org/MGASA-2015-0067.html _______________________________________________________________________ Updated Packages: Mandriva Business Server 2/X86_64: 0d1f31885b6c118b63449f2fdd821666 mbs2/x86_64/cups-1.7.0-8.1.mbs2.x86_64.rpm b5337600a386f902763653796a2cefdf mbs2/x86_64/cups-common-1.7.0-8.1.mbs2.x86_64.rpm 7b1513d85b5f22cd90bed23a35e44f51 mbs2/x86_64/cups-filesystem-1.7.0-8.1.mbs2.noarch.rpm c25fa9b9bba101274984fa2b7a62f7a3 mbs2/x86_64/lib64cups2-1.7.0-8.1.mbs2.x86_64.rpm df24a6b84fdafffaadf961ab4aa3640b mbs2/x86_64/lib64cups2-devel-1.7.0-8.1.mbs2.x86_64.rpm 5c172624c992de8ebb2bf8a2b232ee3a mbs2/SRPMS/cups-1.7.0-8.1.mbs2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFVF6q1mqjQ0CJFipgRAuxXAKDq8A/WlNzp54yRN7xnKy8ZBaRZQwCfSAh0 n7hHPzmYVzh2wFP6PffIl0E= =ykhv -----END PGP SIGNATURE----- . ============================================================================ Ubuntu Security Notice USN-2172-1 April 24, 2014 cups vulnerability ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 13.10 - Ubuntu 12.10 - Ubuntu 12.04 LTS - Ubuntu 10.04 LTS Summary: CUPS could be made to expose sensitive information over the network. If an authenticated user were tricked into visiting a malicious website while logged into CUPS, a remote attacker could modify the CUPS configuration and possibly steal confidential data. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 13.10: cups 1.7.0~rc1-0ubuntu5.3 Ubuntu 12.10: cups 1.6.1-0ubuntu11.6 Ubuntu 12.04 LTS: cups 1.5.3-0ubuntu8.2 Ubuntu 10.04 LTS: cups 1.4.3-1ubuntu1.11 In general, a standard system update will make all the necessary changes

Trust: 2.43

sources: NVD: CVE-2014-2856 // JVNDB: JVNDB-2014-002191 // BID: 66788 // VULHUB: VHN-70795 // PACKETSTORM: 126666 // PACKETSTORM: 128661 // PACKETSTORM: 131116 // PACKETSTORM: 126294 // PACKETSTORM: 126691

AFFECTED PRODUCTS

vendor:applemodel:cupsscope:eqversion:1.6.4

Trust: 1.9

vendor:applemodel:cupsscope:eqversion:1.7

Trust: 1.6

vendor:applemodel:cupsscope:eqversion:1.6.2

Trust: 1.6

vendor:applemodel:cupsscope:eqversion:1.7.1

Trust: 1.6

vendor:applemodel:cupsscope:eqversion:1.7.0

Trust: 1.6

vendor:applemodel:cupsscope:eqversion:1.6.1

Trust: 1.6

vendor:applemodel:cupsscope:eqversion:1.6

Trust: 1.6

vendor:applemodel:cupsscope:eqversion:1.6.3

Trust: 1.6

vendor:applemodel:cupsscope:eqversion:1.5.1

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.4

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.2.9

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.1.4

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.5.4

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.2.1

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.4.3

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.3.5

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.2.7

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.3.0

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.1.7

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.2.3

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.2.8

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.1.14

Trust: 1.0

vendor:applemodel:cupsscope:lteversion:1.7.1

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.1.22

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.1.3

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.2.12

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.1.12

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.3.1

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.1.8

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.1.13

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.2

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.1.15

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.1.16

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.4.6

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.3.8

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.1.6-3

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.1.1

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.3.7

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.3.9

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.1.5-2

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.5

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.1.10

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.1.5-1

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.2.6

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.1.6

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.1.9

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.3.11

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.2.4

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.4.7

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.4.1

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.1.20

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.4.4

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.3.4

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.3.2

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.1.2

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.2.11

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.1.17

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.2.0

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.5.3

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.5.2

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.4.5

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.3.10

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.1.23

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.2.5

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.3.6

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.1.11

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.2.2

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.3.3

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.4.0

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.1.19

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.1.18

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.2.10

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.3

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.1.10-1

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.1

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.1.21

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.1.9-1

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.4.8

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.5.0

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.4.2

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.1.5

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.1.6-1

Trust: 1.0

vendor:applemodel:cupsscope:eqversion:1.1.6-2

Trust: 1.0

vendor:applemodel:cupsscope:ltversion:1.7.2

Trust: 0.8

vendor:ubuntumodel:linuxscope:eqversion:13.10

Trust: 0.3

vendor:ubuntumodel:linux i386scope:eqversion:12.10

Trust: 0.3

vendor:ubuntumodel:linux amd64scope:eqversion:12.10

Trust: 0.3

vendor:ubuntumodel:linux lts i386scope:eqversion:12.04

Trust: 0.3

vendor:ubuntumodel:linux lts amd64scope:eqversion:12.04

Trust: 0.3

vendor:ubuntumodel:linux sparcscope:eqversion:10.04

Trust: 0.3

vendor:ubuntumodel:linux powerpcscope:eqversion:10.04

Trust: 0.3

vendor:ubuntumodel:linux i386scope:eqversion:10.04

Trust: 0.3

vendor:ubuntumodel:linux armscope:eqversion:10.04

Trust: 0.3

vendor:ubuntumodel:linux amd64scope:eqversion:10.04

Trust: 0.3

vendor:redhatmodel:enterprise linux workstation optionalscope:eqversion:6

Trust: 0.3

vendor:redhatmodel:enterprise linux workstationscope:eqversion:6

Trust: 0.3

vendor:redhatmodel:enterprise linux server optionalscope:eqversion:6

Trust: 0.3

vendor:redhatmodel:enterprise linux serverscope:eqversion:6

Trust: 0.3

vendor:redhatmodel:enterprise linux hpc node optionalscope:eqversion:6

Trust: 0.3

vendor:redhatmodel:enterprise linux hpc nodescope:eqversion:6

Trust: 0.3

vendor:redhatmodel:enterprise linux desktop optionalscope:eqversion:6

Trust: 0.3

vendor:redhatmodel:enterprise linux desktopscope:eqversion:6

Trust: 0.3

vendor:oraclemodel:solarisscope:eqversion:11.2

Trust: 0.3

vendor:oraclemodel:enterprise linuxscope:eqversion:6.2

Trust: 0.3

vendor:oraclemodel:enterprise linuxscope:eqversion:6

Trust: 0.3

vendor:mandrivamodel:business serverscope:eqversion:1x8664

Trust: 0.3

vendor:mandrivamodel:business serverscope:eqversion:1

Trust: 0.3

vendor:mandrakesoftmodel:enterprise server x86 64scope:eqversion:5

Trust: 0.3

vendor:mandrakesoftmodel:enterprise serverscope:eqversion:5

Trust: 0.3

vendor:oraclemodel:solarisscope:neversion:11.2.4.6.0

Trust: 0.3

vendor:applemodel:cupsscope:neversion:1.7.2

Trust: 0.3

sources: BID: 66788 // JVNDB: JVNDB-2014-002191 // CNNVD: CNNVD-201404-376 // NVD: CVE-2014-2856

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-2856
value: MEDIUM

Trust: 1.0

NVD: CVE-2014-2856
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201404-376
value: MEDIUM

Trust: 0.6

VULHUB: VHN-70795
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2014-2856
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-70795
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-70795 // JVNDB: JVNDB-2014-002191 // CNNVD: CNNVD-201404-376 // NVD: CVE-2014-2856

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-70795 // JVNDB: JVNDB-2014-002191 // NVD: CVE-2014-2856

THREAT TYPE

remote

Trust: 0.8

sources: PACKETSTORM: 126666 // PACKETSTORM: 126294 // CNNVD: CNNVD-201404-376

TYPE

xss

Trust: 0.7

sources: PACKETSTORM: 126294 // CNNVD: CNNVD-201404-376

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-002191

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-70795

PATCH
title:STR #4356 XSS in CUPS 1.6.4 web interfaceurl:http://www.cups.org/str.php?L4356
Trust: 0.8
title:Release Notesurl:http://www.cups.org/documentation.php/relnotes.html
Trust: 0.8
title:RHSA-2014:1388url:https://rhn.redhat.com/errata/RHSA-2014-1388.html
Trust: 0.8
title:CVE-2014-2856 Cross-site scripting (XSS) vulnerability in CUPSurl:https://blogs.oracle.com/sunsecurity/entry/cve_2014_2856_cross_site
Trust: 0.8
title:cups-1.7.2-sourceurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=49422
Trust: 0.6
title:cups-1.7.2-sourceurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=49421
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2014-002191 // 
            
            
            
            CNNVD: CNNVD-201404-376

EXTERNAL IDS
db:NVDid:CVE-2014-2856
Trust: 3.3
db:OPENWALLid:OSS-SECURITY/2014/04/15/3
Trust: 1.7
db:OPENWALLid:OSS-SECURITY/2014/04/14/2
Trust: 1.7
db:SECUNIAid:57880
Trust: 1.7
db:BIDid:66788
Trust: 1.4
db:JVNDBid:JVNDB-2014-002191
Trust: 0.8
db:CNNVDid:CNNVD-201404-376
Trust: 0.7
db:MLISTid:[OSS-SECURITY] 20140415 RE: CVE REQUEST: CROSS-SITE SCRIPTING ISSUE FIXED IN CUPS 1.7.2
Trust: 0.6
db:MLISTid:[OSS-SECURITY] 20140414 CVE REQUEST: CROSS-SITE SCRIPTING ISSUE FIXED IN CUPS 1.7.2
Trust: 0.6
db:PACKETSTORMid:128661
Trust: 0.2
db:PACKETSTORMid:126294
Trust: 0.2
db:PACKETSTORMid:131116
Trust: 0.2
db:PACKETSTORMid:126666
Trust: 0.2
db:VULHUBid:VHN-70795
Trust: 0.1
db:PACKETSTORMid:126691
Trust: 0.1
sources:
            
            
            VULHUB: VHN-70795 // 
            
            
            
            BID: 66788 // 
            
            
            
            JVNDB: JVNDB-2014-002191 // 
            
            
            
            PACKETSTORM: 126666 // 
            
            
            
            PACKETSTORM: 128661 // 
            
            
            
            PACKETSTORM: 131116 // 
            
            
            
            PACKETSTORM: 126294 // 
            
            
            
            PACKETSTORM: 126691 // 
            
            
            
            CNNVD: CNNVD-201404-376 // 
            
            
            
            NVD: CVE-2014-2856

REFERENCES
url:http://advisories.mageia.org/mgasa-2014-0193.html
Trust: 2.1
url:http://www.cups.org/documentation.php/relnotes.html
Trust: 2.0
url:http://www.cups.org/str.php?l4356
Trust: 2.0
url:http://www.openwall.com/lists/oss-security/2014/04/14/2
Trust: 1.7
url:http://www.openwall.com/lists/oss-security/2014/04/15/3
Trust: 1.7
url:http://secunia.com/advisories/57880
Trust: 1.7
url:http://rhn.redhat.com/errata/rhsa-2014-1388.html
Trust: 1.2
url:http://www.ubuntu.com/usn/usn-2172-1
Trust: 1.2
url:http://www.securityfocus.com/bid/66788
Trust: 1.1
url:http://www.mandriva.com/security/advisories?name=mdvsa-2015:108
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-2856
Trust: 1.1
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-2856
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2014-2856
Trust: 0.5
url:http://www.cups.org/
Trust: 0.3
url:https://blogs.oracle.com/sunsecurity/entry/cve_2014_2856_cross_site
Trust: 0.3
url:http://www.mandriva.com/en/support/security/
Trust: 0.3
url:http://www.mandriva.com/en/support/security/advisories/
Trust: 0.3
url:https://nvd.nist.gov/vuln/detail/cve-2014-5029
Trust: 0.2
url:https://nvd.nist.gov/vuln/detail/cve-2014-3537
Trust: 0.2
url:https://nvd.nist.gov/vuln/detail/cve-2014-5030
Trust: 0.2
url:https://nvd.nist.gov/vuln/detail/cve-2014-5031
Trust: 0.2
url:https://www.redhat.com/mailman/listinfo/rhsa-announce
Trust: 0.1
url:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/6.6_technical_notes/cups.html#rhsa-2014-1388
Trust: 0.1
url:https://www.redhat.com/security/data/cve/cve-2014-2856.html
Trust: 0.1
url:https://access.redhat.com/security/team/key/#package
Trust: 0.1
url:https://www.redhat.com/security/data/cve/cve-2014-5029.html
Trust: 0.1
url:https://www.redhat.com/security/data/cve/cve-2014-5031.html
Trust: 0.1
url:https://bugzilla.redhat.com/):
Trust: 0.1
url:https://access.redhat.com/articles/11258
Trust: 0.1
url:https://www.redhat.com/security/data/cve/cve-2014-5030.html
Trust: 0.1
url:https://access.redhat.com/security/updates/classification/#moderate
Trust: 0.1
url:https://access.redhat.com/security/team/contact/
Trust: 0.1
url:https://www.redhat.com/security/data/cve/cve-2014-3537.html
Trust: 0.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-5031
Trust: 0.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-9679
Trust: 0.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3537
Trust: 0.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-5029
Trust: 0.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-5030
Trust: 0.1
url:http://advisories.mageia.org/mgasa-2015-0067.html
Trust: 0.1
url:http://advisories.mageia.org/mgasa-2014-0313.html
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2014-9679
Trust: 0.1
url:https://launchpad.net/ubuntu/+source/cups/1.4.3-1ubuntu1.11
Trust: 0.1
url:https://launchpad.net/ubuntu/+source/cups/1.7.0~rc1-0ubuntu5.3
Trust: 0.1
url:https://launchpad.net/ubuntu/+source/cups/1.6.1-0ubuntu11.6
Trust: 0.1
url:https://launchpad.net/ubuntu/+source/cups/1.5.3-0ubuntu8.2
Trust: 0.1
url:https://nvd.nist.gov/vuln/detail/cve-2013-6891
Trust: 0.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-6891
Trust: 0.1
sources:
            
            
            VULHUB: VHN-70795 // 
            
            
            
            BID: 66788 // 
            
            
            
            JVNDB: JVNDB-2014-002191 // 
            
            
            
            PACKETSTORM: 126666 // 
            
            
            
            PACKETSTORM: 128661 // 
            
            
            
            PACKETSTORM: 131116 // 
            
            
            
            PACKETSTORM: 126294 // 
            
            
            
            PACKETSTORM: 126691 // 
            
            
            
            CNNVD: CNNVD-201404-376 // 
            
            
            
            NVD: CVE-2014-2856

CREDITS
Alex Korobkin
Trust: 0.3
sources:
            
            
            BID: 66788

SOURCES
db:VULHUBid:VHN-70795
db:BIDid:66788
db:JVNDBid:JVNDB-2014-002191
db:PACKETSTORMid:126666
db:PACKETSTORMid:128661
db:PACKETSTORMid:131116
db:PACKETSTORMid:126294
db:PACKETSTORMid:126691
db:CNNVDid:CNNVD-201404-376
db:NVDid:CVE-2014-2856

LAST UPDATE DATE
2024-08-14T12:34:54.132000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-70795date:2017-12-16T00:00:00
db:BIDid:66788date:2015-04-13T21:37:00
db:JVNDBid:JVNDB-2014-002191date:2015-06-23T00:00:00
db:CNNVDid:CNNVD-201404-376date:2014-04-23T00:00:00
db:NVDid:CVE-2014-2856date:2017-12-16T02:29:06.777

SOURCES RELEASE DATE
db:VULHUBid:VHN-70795date:2014-04-18T00:00:00
db:BIDid:66788date:2014-01-30T00:00:00
db:JVNDBid:JVNDB-2014-002191date:2014-04-23T00:00:00
db:PACKETSTORMid:126666date:2014-05-19T03:14:21
db:PACKETSTORMid:128661date:2014-10-14T23:04:56
db:PACKETSTORMid:131116date:2015-03-30T21:33:02
db:PACKETSTORMid:126294date:2014-04-24T22:17:43
db:PACKETSTORMid:126691date:2014-05-19T03:19:36
db:CNNVDid:CNNVD-201404-376date:2014-04-23T00:00:00
db:NVDid:CVE-2014-2856date:2014-04-18T14:55:26.040