CERTVU:557062CUPS stores user account details in plain text in log file
0.0004 Low
EPSS
Percentile
5.4%
Overview
When an SMB printer is configured, CUPS stores plain text login information to the log file.
Description
CUPS is a cross-platform printing system for UNIX environments. It can use the IPP, LPD, SMB, and JetDirect protocols to interact with printers. The SMB protocol is used to communicate with printers that are shared via Microsoft Windows or other SMB-compatible software such as Samba. When an SMB printer is added or modified, the connection string for the printer is written to the log file in plain text. This connection string will contain a username and password if authentication is required for the printer.
Impact
A local authenticated user may be able to retrieve the usernames and passwords for other accounts.
Solution
Apply a patch from your vendor
For vendor-specific information regarding vulnerable status and patch availability, please see the Systems Affected section of this document.
Upgrade your version of CUPS
This issue is resolved in CUPS 1.1.22rc1. Starting with this version, the connection string for the printer is sanitized so that it does not contain sensitive information.
Restrict access to the CUPS log file
By default, the CUPS log file is world-readable. Access to the CUPS log file can be restricted by setting the LogFilePerm option in cupsd.conf to “0600”
Do not use authenticated printing to Windows via Samba
Because of the possibility of disclosing sensitive information when using a printer shared via SMB, it is suggested to use other protocols such as LPD. Windows can function as an LPD server when Print Services for UNIX is installed.
Vendor Information
557062
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Debian __ Affected
Notified: October 04, 2004 Updated: October 18, 2004
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Please see <http://www.debian.org/security/2004/dsa-566>
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23557062 Feedback>).
MandrakeSoft __ Affected
Notified: October 04, 2004 Updated: October 22, 2004
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Please see MDKSA-2004:116
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23557062 Feedback>).
Hitachi __ Not Affected
Notified: October 04, 2004 Updated: October 08, 2004
Status
Not Affected
Vendor Statement
Hitachi HI-UX/WE2 is NOT Vulnerable to this issue.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23557062 Feedback>).
NETBSD __ Not Affected
Notified: October 04, 2004 Updated: October 05, 2004
Status
Not Affected
Vendor Statement
NetBSD does not include CUPS in the base system distribution.
Users of NetBSD and other Operating Systems may add CUPS from the
third-party packages collection, pkgsrc. The pkgsrc packages are
updated in response to vendor security advisories and patches as they
become available, and known-vulnerable packages can be checked for
using the audit-packages tool.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23557062 Feedback>).
BSDI __ Unknown
Notified: October 04, 2004 Updated: October 04, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23557062 Feedback>).
Conectiva __ Unknown
Notified: October 04, 2004 Updated: October 04, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23557062 Feedback>).
Cray Inc. __ Unknown
Notified: October 04, 2004 Updated: October 04, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23557062 Feedback>).
EMC Corporation __ Unknown
Notified: October 04, 2004 Updated: October 04, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23557062 Feedback>).
Engarde __ Unknown
Notified: October 04, 2004 Updated: October 04, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23557062 Feedback>).
F5 Networks __ Unknown
Notified: October 04, 2004 Updated: October 04, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23557062 Feedback>).
FreeBSD __ Unknown
Notified: October 04, 2004 Updated: October 04, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23557062 Feedback>).
Fujitsu __ Unknown
Notified: October 04, 2004 Updated: October 04, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23557062 Feedback>).
Hewlett-Packard Company __ Unknown
Notified: October 04, 2004 Updated: October 04, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23557062 Feedback>).
IBM __ Unknown
Notified: October 04, 2004 Updated: October 04, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23557062 Feedback>).
IBM eServer __ Unknown
Notified: October 04, 2004 Updated: October 04, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23557062 Feedback>).
IBM-zSeries __ Unknown
Notified: October 04, 2004 Updated: October 04, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23557062 Feedback>).
Immunix __ Unknown
Notified: October 04, 2004 Updated: October 04, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23557062 Feedback>).
Ingrian Networks __ Unknown
Notified: October 04, 2004 Updated: October 04, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23557062 Feedback>).
Juniper Networks __ Unknown
Notified: October 04, 2004 Updated: October 04, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23557062 Feedback>).
MontaVista Software __ Unknown
Notified: October 04, 2004 Updated: October 04, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23557062 Feedback>).
NEC Corporation __ Unknown
Notified: October 04, 2004 Updated: October 04, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23557062 Feedback>).
Nokia __ Unknown
Notified: October 04, 2004 Updated: October 04, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23557062 Feedback>).
Novell __ Unknown
Notified: October 04, 2004 Updated: October 04, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23557062 Feedback>).
OpenBSD __ Unknown
Notified: October 04, 2004 Updated: October 04, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23557062 Feedback>).
Openwall GNU/*/Linux __ Unknown
Notified: October 04, 2004 Updated: October 04, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23557062 Feedback>).
Red Hat Inc. __ Unknown
Notified: October 04, 2004 Updated: October 04, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23557062 Feedback>).
SCO __ Unknown
Notified: October 04, 2004 Updated: October 04, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23557062 Feedback>).
SGI __ Unknown
Notified: October 04, 2004 Updated: October 28, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Please see: <ftp://patches.sgi.com/support/free/security/advisories/20041004-01-U.asc>
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23557062 Feedback>).
Sequent __ Unknown
Notified: October 04, 2004 Updated: October 04, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23557062 Feedback>).
Sony Corporation __ Unknown
Notified: October 04, 2004 Updated: October 04, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23557062 Feedback>).
SuSE Inc. __ Unknown
Notified: October 04, 2004 Updated: October 04, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23557062 Feedback>).
Sun Microsystems Inc. __ Unknown
Notified: October 04, 2004 Updated: October 04, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23557062 Feedback>).
TurboLinux __ Unknown
Notified: October 04, 2004 Updated: October 04, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23557062 Feedback>).
Unisys __ Unknown
Notified: October 04, 2004 Updated: October 04, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23557062 Feedback>).
Wind River Systems Inc. __ Unknown
Notified: October 04, 2004 Updated: October 04, 2004
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
We have no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23557062 Feedback>).
View all 35 vendors __View less vendors __
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- <http://www.securitytracker.com/alerts/2004/Oct/1011529.html>
- <http://secunia.com/advisories/12736/>
- <http://fedoranews.org/updates/FEDORA-2004-331.shtml>
- <http://www.cups.org/ssr.html>
Acknowledgements
Thanks to Gary Smith for reporting this vulnerability.
This document was written by Will Dormann.
Other Information
| CVE IDs: | CVE-2004-0923 |
|---|---|
| Severity Metric: | 5.06 Date Public: |
Related
