CVE-2014-5029 — Link Following in Apple Cups

CWE-59 — Link Following9 documents8 sources

Severity

1.5LOWNVD

CNA1.2OSV1.2

EPSS

0.0%

top 84.87%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apple Cups Canonical Ubuntu Linux

Timeline

PublishedJul 29

Latest updateMay 17

Description

The web interface in CUPS 1.7.4 allows local users in the lp group to read arbitrary files via a symlink attack on a file in /var/cache/cups/rss/ and language[0] set to null. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3537.

CVSS vector

AV:L/AC:M/C:P/I:N/A:NExploitability: 2.7 | Impact: 2.9

Affected Packages2 packages

▶Debianapple/cups< 1.7.4-2+3

▶NVDapple/cups1.7.4

Also affects: Ubuntu Linux 10.04, 12.04, 14.04

Patches

Patch: cups.org ↗Patch: cups.org ↗

🔴Vulnerability Details

GHSA

GHSA-jxpq-c7wx-p6h2: The web interface in CUPS 1↗2022-05-17

▶

OSV

CVE-2014-5029: The web interface in CUPS 1↗2014-07-29

▶

CVEList

CVE-2014-5029: The web interface in CUPS 1↗2014-07-29

▶

📋Vendor Advisories

Ubuntu

CUPS vulnerabilities↗2014-09-08

▶

Red Hat

cups: Incomplete fix for CVE-2014-3537↗2014-07-22

▶

Debian

CVE-2014-5029: cups - The web interface in CUPS 1.7.4 allows local users in the lp group to read arbit...↗2014

▶

💬Community

Bugzilla

CVE-2014-5029 CVE-2014-5030 CVE-2014-5031 cups: Incomplete fix for CVE-2014-3537 [fedora-all]↗2014-07-23

▶

Bugzilla

CVE-2014-5029 cups: Incomplete fix for CVE-2014-3537↗2014-07-23

▶