ID CVE-2015-1159 Type cve Reporter NVD Modified 2017-09-22T21:29:00
Description
Cross-site scripting (XSS) vulnerability in the cgi_puts function in cgi-bin/template.c in the template engine in CUPS before 2.0.3 allows remote attackers to inject arbitrary web script or HTML via the QUERY parameter to help/.
{"result": {"f5": [{"id": "SOL16794", "type": "f5", "title": "SOL16794 - CUPS vulnerabilities CVE-2015-1158 / CVE-2015-1159", "description": " * [CVE-2015-1158](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1158>)\n\nA string reference count bug was found in cupsd, causing premature freeing of string objects. An attacker can submit a malicious print job that exploits this flaw to dismantle ACLs protecting privileged operations, allowing a replacement configuration file to be uploaded, which in turn allows the attacker to run arbitrary code on the CUPS server.\n\n * [CVE-2015-1159](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1159>)\n\nA cross-site scripting bug in the CUPS templating engine allows this bug to be exploited when a user browses the web.\n", "published": "2015-06-23T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://support.f5.com/kb/en-us/solutions/public/16000/700/sol16794.html", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "lastseen": "2016-03-19T09:01:42"}], "cert": [{"id": "VU:810572", "type": "cert", "title": "CUPS print service is vulnerable to privilege escalation and cross-site scripting", "description": "### Overview\n\nCUPS implements the Internet Printing Protocol (IPP) for UNIX-derived operating systems. Various versions of CUPS are vulnerable to a privilege escalation due to a memory management error.\n\n### Description\n\n[**CWE-911**](<http://cwe.mitre.org/data/definitions/911.html>)**: Improper Update of Reference Count - **CVE-2015-1158 \n\nAn issue with how localized strings are handled in `cupsd` allows a reference counter to over-decrement when handling certain print job request errors. As a result, an attacker can prematurely free an arbitrary string of global scope, creating a dangling pointer to a repurposed block of memory on the heap. The dangling pointer causes ACL verification to fail when parsing `'admin/conf'` and` ``'admin'` ACLs. The ACL handling failure results in unrestricted access to privileged operations, allowing an unauthenticated remote user to upload a replacement CUPS configuration file and mount further attacks. \n \nThis vulnerability was introduced in CUPS 1.2.0, released in 2006. All major versions of CUPS from 1.2 to 2.0 are vulnerable. This vulnerability is exploitable by default and without any special permissions other than the ability to send a print job request. \n \n[**CWE-79**](<http://cwe.mitre.org/data/definitions/79.html>)**: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - **CVE-2015-1159 \n \nA cross-site scripting bug in the CUPS templating engine allows this bug to be exploited when a user browses the web._ _In certain cases, the CGI template can echo user input to file rather than escaping the text first. This may be used to set up a reflected XSS attack in the QUERY parameter of the web interface help page. By default, many linux distributions run with the web interface activated; OS X has the web interface deactivated by default. \n \nThe CVSS score below is based on CVE-2015-1158. \n \n--- \n \n### Impact\n\nCVE-2015-1158 may allow a remote unauthenticated attacker access to privileged operations on the CUPS server. CVE-2015-1159 may allow an attacker to execute arbitrary javascript in a user's browser. \n \n--- \n \n### Solution\n\n**Apply an update** \n \nA [patch](<http://www.cups.org/blog.php?L1082+I0+Q>) addressing these issues has been released for all supported versions of CUPS. For the version 2.0 branch (the latest release), 2.0.3 contains the patch. Affected users are encouraged to update as soon as possible. \n \n--- \n \n### Vendor Information \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nApple| | 06 May 2015| 08 May 2015 \nFreeBSD Project| | 08 May 2015| 10 Jun 2015 \nopenSUSE project| | 08 May 2015| 10 Jun 2015 \nSUSE Linux| | 08 May 2015| 10 Jun 2015 \nCentOS| | 08 May 2015| 08 May 2015 \nDebian GNU/Linux| | 08 May 2015| 08 May 2015 \nDesktopBSD| | 08 May 2015| 08 May 2015 \nDragonFly BSD Project| | 08 May 2015| 08 May 2015 \nEMC Corporation| | 08 May 2015| 08 May 2015 \nF5 Networks, Inc.| | 08 May 2015| 08 May 2015 \nFedora Project| | 08 May 2015| 08 May 2015 \nGentoo Linux| | 08 May 2015| 08 May 2015 \nHewlett-Packard Company| | 08 May 2015| 08 May 2015 \nHitachi| | 08 May 2015| 08 May 2015 \nIBM Corporation| | 08 May 2015| 08 May 2015 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23810572 Vendor Status Inquiry>). \n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 9.3 | AV:N/AC:M/Au:N/C:C/I:C/A:C \nTemporal | 7.3 | E:POC/RL:OF/RC:C \nEnvironmental | 5.5 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND \n \n### References\n\n * <http://www.cups.org/blog.php?L1082+I0+Q>\n * <https://www.cups.org/str.php?L4609>\n\n### Credit\n\nThis document was written by Garret Wassermann.\n\n### Other Information\n\n * CVE IDs: [CVE-2015-1158](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1158>) [CVE-2015-1159](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1159>)\n * Date Public: 08 Jun 2015\n * Date First Published: 09 Jun 2015\n * Date Last Updated: 10 Jun 2015\n * Document Revision: 42\n\n", "published": "2015-06-09T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.kb.cert.org/vuls/id/810572", "cvelist": ["CVE-2015-1158", "CVE-2015-1158", "CVE-2015-1158", "CVE-2015-1158", "CVE-2015-1158", "CVE-2015-1159", "CVE-2015-1159", "CVE-2015-1159", "CVE-2015-1159"], "lastseen": "2016-02-03T09:12:53"}], "nessus": [{"id": "FEDORA_2015-9801.NASL", "type": "nessus", "title": "Fedora 21 : cups-1.7.5-17.fc21 (2015-9801)", "description": "This update fixed 2 security flaws.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2015-06-22T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=84311", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "lastseen": "2017-10-29T13:41:40"}, {"id": "FEDORA_2015-9726.NASL", "type": "nessus", "title": "Fedora 22 : cups-2.0.3-1.fc22 (2015-9726)", "description": "New upstream bug-fix release.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2015-06-22T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=84310", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "lastseen": "2017-10-29T13:41:36"}, {"id": "GENTOO_GLSA-201510-07.NASL", "type": "nessus", "title": "GLSA-201510-07 : CUPS: Multiple vulnerabilities", "description": "The remote host is affected by the vulnerability described in GLSA-201510-07 (CUPS: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in cups. Please review the CVE identifiers referenced below for details.\n Impact :\n\n A remote attacker could possibly execute arbitrary code with the privileges of the process, or cause a Denial of Service condition.\n Workaround :\n\n There is no known workaround at this time.", "published": "2015-11-02T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=86692", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "lastseen": "2017-10-29T13:43:19"}, {"id": "FREEBSD_PKG_A40EC9700EFA11E590E4D050996490D0.NASL", "type": "nessus", "title": "FreeBSD : cups -- multiple vulnerabilities (a40ec970-0efa-11e5-90e4-d050996490d0)", "description": "CUPS development team reports :\n\nThe new release addresses two security vulnerabilities, add localizations for German and Russian, and includes several general bug fixes. Changes include :\n\nSecurity: Fixed CERT VU #810572/CVE-2015-1158/CVE-2015-1159 exploiting the dynamic linker (STR #4609)\n\nSecurity: The scheduler could hang with malformed gzip data (STR #4602)", "published": "2015-06-10T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=84070", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "lastseen": "2017-10-29T13:41:17"}, {"id": "DEBIAN_DLA-239.NASL", "type": "nessus", "title": "Debian DLA-239-1 : cups security update", "description": "Two critical vulnerabilities have been found in the CUPS printing system :\n\nCVE-2015-1158 - Improper Update of Reference Count Cupsd uses reference-counted strings with global scope. When parsing a print job request, cupsd over-decrements the reference count for a string from the request. As a result, an attacker can prematurely free an arbitrary string of global scope. They can use this to dismantle ACL’s protecting privileged operations, and upload a replacement configuration file, and subsequently run arbitrary code on a target machine.\n\nThis bug is exploitable in default configurations, and does not require any special permissions other than the basic ability to print.\n\nCVE-2015-1159 - Cross-Site Scripting A cross-site scripting bug in the CUPS templating engine allows the above bug to be exploited when a user browses the web. This XSS is reachable in the default configuration for Linux instances of CUPS, and allows an attacker to bypass default configuration settings that bind the CUPS scheduler to the ‘localhost’ or loopback interface.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2015-06-10T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=84061", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "lastseen": "2017-10-29T13:45:27"}, {"id": "UBUNTU_USN-2629-1.NASL", "type": "nessus", "title": "Ubuntu 12.04 LTS / 14.04 LTS / 14.10 / 15.04 : cups vulnerabilities (USN-2629-1)", "description": "It was discovered that CUPS incorrectly handled reference counting when handling localized strings. A remote attacker could use this issue to escalate permissions, upload a replacement CUPS configuration file, and execute arbitrary code. (CVE-2015-1158)\n\nIt was discovered that the CUPS templating engine contained a cross-site scripting issue. A remote attacker could use this issue to bypass default configuration settings. (CVE-2015-1159).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2015-06-11T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=84117", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "lastseen": "2017-10-29T13:33:03"}, {"id": "CUPS_2_0_3.NASL", "type": "nessus", "title": "CUPS < 2.0.3 Multiple Vulnerabilities", "description": "According to its banner, the CUPS printer service running on the remote host is a version prior to 2.0.3. It is, therefore, potentially affected by the following vulnerabilities :\n\n - A privilege escalation vulnerability exists due to a flaw in cupsd when handling printer job request errors.\n An unauthenticated, remote attacker can exploit this, with a specially crafted request, to prematurely free an arbitrary string of global scope, creating a dangling pointer to a repurposed block of memory on the heap, resulting ACL verification to fail when parsing 'admin/conf' and 'admin' ACLs. This allows an attacker to upload a replacement CUPS configuration file.\n (CVE-2015-1158)\n\n - A cross-site scripting vulnerability exists due to improper sanitization of user-supplied input to the 'QUERY' parameter of the help page. This allows a remote attacker, with a specially crafted request, to execute arbitrary script code. (CVE-2015-1159)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "published": "2015-06-12T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=84149", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "lastseen": "2017-10-29T13:32:55"}, {"id": "DEBIAN_DSA-3283.NASL", "type": "nessus", "title": "Debian DSA-3283-1 : cups - security update", "description": "It was discovered that CUPS, the Common UNIX Printing System, is vulnerable to a remotely triggerable privilege escalation via cross-site scripting and bad print job submission used to replace cupsd.conf on the CUPS server.", "published": "2015-06-10T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=84063", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "lastseen": "2017-10-29T13:32:47"}, {"id": "ORACLELINUX_ELSA-2015-1123.NASL", "type": "nessus", "title": "Oracle Linux 6 / 7 : cups (ELSA-2015-1123)", "description": "From Red Hat Security Advisory 2015:1123 :\n\nUpdated cups packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nCUPS provides a portable printing layer for Linux, UNIX, and similar operating systems.\n\nA string reference count bug was found in cupsd, causing premature freeing of string objects. An attacker can submit a malicious print job that exploits this flaw to dismantle ACLs protecting privileged operations, allowing a replacement configuration file to be uploaded which in turn allows the attacker to run arbitrary code in the CUPS server (CVE-2015-1158)\n\nA cross-site scripting flaw was found in the cups web templating engine. An attacker could use this flaw to bypass the default configuration settings that bind the CUPS scheduler to the 'localhost' or loopback interface. (CVE-2015-1159)\n\nAn integer overflow leading to a heap-based buffer overflow was found in the way cups handled compressed raster image files. An attacker could create a specially crafted image file, which when passed via the cups Raster filter, could cause the cups filter to crash.\n(CVE-2014-9679)\n\nRed Hat would like to thank the CERT/CC for reporting CVE-2015-1158 and CVE-2015-1159 issues.\n\nAll cups users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the cupsd daemon will be restarted automatically.", "published": "2015-06-18T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=84256", "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "lastseen": "2017-10-29T13:34:13"}, {"id": "SUSE_SU-2015-1041-1.NASL", "type": "nessus", "title": "SUSE SLED12 / SLES12 Security Update : cups (SUSE-SU-2015:1041-1)", "description": "The following issues are fixed by this update :\n\n - CVE-2012-5519: privilege escalation via cross-site scripting and bad print job submission used to replace cupsd.conf on server (bsc#924208).\n\n - CVE-2015-1158: Improper Update of Reference Count\n\n - CVE-2015-1159: Cross-Site Scripting\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2015-06-12T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=84145", "cvelist": ["CVE-2015-1158", "CVE-2012-5519", "CVE-2015-1159"], "lastseen": "2017-10-29T13:41:35"}], "openvas": [{"id": "OPENVAS:1361412562310869513", "type": "openvas", "title": "Fedora Update for cups FEDORA-2015-9726", "description": "Check the version of cups", "published": "2015-07-07T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869513", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "lastseen": "2017-07-25T10:53:05"}, {"id": "OPENVAS:1361412562310842238", "type": "openvas", "title": "Ubuntu Update for cups USN-2629-1", "description": "Check the version of cups", "published": "2015-06-11T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842238", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "lastseen": "2017-12-04T11:23:38"}, {"id": "OPENVAS:1361412562310105298", "type": "openvas", "title": "CUPS < 2.0.3 Multiple Vulnerabilities", "description": "Various versions of CUPS are vulnerable\nto a privilege escalation due to a memory management error.", "published": "2015-06-15T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105298", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "lastseen": "2018-04-12T11:45:28"}, {"id": "OPENVAS:1361412562310703283", "type": "openvas", "title": "Debian Security Advisory DSA 3283-1 (cups - security update)", "description": "It was discovered that CUPS, the\nCommon UNIX Printing System, is vulnerable to a remotely triggerable privilege\nescalation via cross-site scripting and bad print job submission used to replace\ncupsd.conf on the CUPS server.", "published": "2015-06-09T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703283", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "lastseen": "2018-04-06T11:27:45"}, {"id": "OPENVAS:1361412562310121420", "type": "openvas", "title": "Gentoo Linux Local Check: https://security.gentoo.org/glsa/201510-07", "description": "Gentoo Linux Local Security Checks https://security.gentoo.org/glsa/201510-07", "published": "2015-11-08T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310121420", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "lastseen": "2018-04-09T11:30:09"}, {"id": "OPENVAS:703283", "type": "openvas", "title": "Debian Security Advisory DSA 3283-1 (cups - security update)", "description": "It was discovered that CUPS, the\nCommon UNIX Printing System, is vulnerable to a remotely triggerable privilege\nescalation via cross-site scripting and bad print job submission used to replace\ncupsd.conf on the CUPS server.", "published": "2015-06-09T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=703283", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "lastseen": "2017-07-24T12:53:21"}, {"id": "OPENVAS:1361412562310123098", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2015-1123", "description": "Oracle Linux Local Security Checks ELSA-2015-1123", "published": "2015-10-06T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123098", "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "lastseen": "2017-07-24T12:53:30"}, {"id": "OPENVAS:1361412562310869456", "type": "openvas", "title": "Fedora Update for cups FEDORA-2015-9801", "description": "Check the version of cups", "published": "2015-06-21T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869456", "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "lastseen": "2017-07-25T10:53:26"}, {"id": "OPENVAS:1361412562310120032", "type": "openvas", "title": "Amazon Linux Local Check: ALAS-2015-559", "description": "Amazon Linux Local Security Checks", "published": "2015-09-08T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120032", "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "lastseen": "2017-07-24T12:53:21"}, {"id": "OPENVAS:1361412562310882201", "type": "openvas", "title": "CentOS Update for cups CESA-2015:1123 centos7 ", "description": "Check the version of cups", "published": "2015-06-19T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882201", "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "lastseen": "2017-07-25T10:53:34"}], "gentoo": [{"id": "GLSA-201510-07", "type": "gentoo", "title": "CUPS: Multiple vulnerabilities", "description": "### Background\n\nCUPS, the Common Unix Printing System, is a full-featured print server.\n\n### Description\n\nMultiple vulnerabilities have been discovered in cups. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could possibly execute arbitrary code with the privileges of the process, or cause a Denial of Service condition. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll CUPS users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-print/cups-2.0.3\"", "published": "2015-10-31T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://security.gentoo.org/glsa/201510-07", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "lastseen": "2016-09-06T19:46:51"}], "debian": [{"id": "DSA-3283", "type": "debian", "title": "cups -- security update", "description": "It was discovered that CUPS, the Common UNIX Printing System, is vulnerable to a remotely triggerable privilege escalation via cross-site scripting and bad print job submission used to replace cupsd.conf on the CUPS server.\n\nFor the oldstable distribution (wheezy), these problems have been fixed in version 1.5.3-5+deb7u6.\n\nFor the stable distribution (jessie), these problems have been fixed in version 1.7.5-11+deb8u1.\n\nFor the unstable distribution (sid), these problems have been fixed in version 1.7.5-12.\n\nWe recommend that you upgrade your cups packages.", "published": "2015-06-09T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.debian.org/security/dsa-3283", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "lastseen": "2016-09-02T18:34:03"}, {"id": "DLA-239", "type": "debian", "title": "cups -- LTS security update", "description": "Two critical vulnerabilities have been found in the CUPS printing system:\n\n * [CVE-2015-1158](<https://security-tracker.debian.org/tracker/CVE-2015-1158>)\n\n\\- Improper Update of Reference Count Cupsd uses reference-counted strings with global scope. When parsing a print job request, cupsd over-decrements the reference count for a string from the request. As a result, an attacker can prematurely free an arbitrary string of global scope. They can use this to dismantle ACL\u2019s protecting privileged operations, and upload a replacement configuration file, and subsequently run arbitrary code on a target machine.\n\nThis bug is exploitable in default configurations, and does not require any special permissions other than the basic ability to print.\n\n * [CVE-2015-1159](<https://security-tracker.debian.org/tracker/CVE-2015-1159>)\n\n\\- Cross-Site Scripting A cross-site scripting bug in the CUPS templating engine allows the above bug to be exploited when a user browses the web. This XSS is reachable in the default configuration for Linux instances of CUPS, and allows an attacker to bypass default configuration settings that bind the CUPS scheduler to the \u2018localhost\u2019 or loopback interface.", "published": "2015-06-09T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.debian.org/security/2015/dla-239", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "lastseen": "2017-10-05T12:58:46"}], "ubuntu": [{"id": "USN-2629-1", "type": "ubuntu", "title": "CUPS vulnerabilities", "description": "It was discovered that CUPS incorrectly handled reference counting when handling localized strings. A remote attacker could use this issue to escalate permissions, upload a replacement CUPS configuration file, and execute arbitrary code. (CVE-2015-1158)\n\nIt was discovered that the CUPS templating engine contained a cross-site scripting issue. A remote attacker could use this issue to bypass default configuration settings. (CVE-2015-1159)", "published": "2015-06-10T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/2629-1/", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "lastseen": "2018-03-29T18:18:15"}], "packetstorm": [{"id": "PACKETSTORM:132389", "type": "packetstorm", "title": "CUPS XSS / String Handling / Improper Teardown", "description": "", "published": "2015-06-22T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://packetstormsecurity.com/files/132389/CUPS-XSS-String-Handling-Improper-Teardown.html", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "lastseen": "2016-12-05T22:23:53"}], "archlinux": [{"id": "ASA-201506-2", "type": "archlinux", "title": "cups: multiple issues", "description": "- CVE-2015-1158 (arbitrary code execution, privilege escalation)\n\nAn issue with how localized strings are handled in cupsd allows a\nreference counter to over-decrement when handling certain print job\nrequest errors. As a result, an attacker can prematurely free an\narbitrary string of global scope, creating a dangling pointer to a\nrepurposed block of memory on the heap. The dangling pointer causes ACL\nverification to fail when parsing 'admin/conf' and 'admin' ACLs. The ACL\nhandling failure results in unrestricted access to privileged\noperations, allowing an unauthenticated remote user to upload a\nreplacement CUPS configuration file and mount further attacks.\n\n- CVE-2015-1159 (cross-side scripting)\n\nA cross-site scripting bug in the CUPS templating engine allows this bug\nto be exploited when a user browses the web. In certain cases, the CGI\ntemplate can echo user input to file rather than escaping the text\nfirst. This may be used to set up a reflected XSS attack in the QUERY\nparameter of the web interface help page. By default, many linux\ndistributions run with the web interface activated.", "published": "2015-06-10T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://lists.archlinux.org/pipermail/arch-security/2015-June/000343.html", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "lastseen": "2016-09-02T18:44:48"}], "freebsd": [{"id": "A40EC970-0EFA-11E5-90E4-D050996490D0", "type": "freebsd", "title": "cups -- multiple vulnerabilities", "description": "\nCUPS development team reports:\n\nThe new release addresses two security vulnerabilities,\n\t add localizations for German and Russian, and includes\n\t several general bug fixes. Changes include:\nSecurity: Fixed CERT VU #810572/CVE-2015-1158/CVE-2015-1159\n\t exploiting the dynamic linker (STR #4609)\nSecurity: The scheduler could hang with malformed\n\t gzip data (STR #4602)\n\n", "published": "2015-06-09T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vuxml.freebsd.org/freebsd/a40ec970-0efa-11e5-90e4-d050996490d0.html", "cvelist": ["CVE-2015-1158", "CVE-2015-1159"], "lastseen": "2016-09-26T17:24:19"}], "suse": [{"id": "OPENSUSE-SU-2015:1056-1", "type": "suse", "title": "Security update for cups (critical)", "description": "This update fixes the following issues:\n\n - CVE-2015-1158 and CVE-2015-1159 fixes a possible privilege escalation\n via cross-site scripting and bad print job submission used to replace\n cupsd.conf on server (CUPS STR#4609 CERT-VU-810572 CVE-2015-1158\n CVE-2015-1159 bugzilla.suse.com bsc#924208). In general it is crucial to\n limit access to CUPS to trustworthy users who do not misuse their\n permission to submit print jobs which means to upload arbitrary data\n onto the CUPS server, see\n <a rel=\"nofollow\" href=\"https://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings\">https://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings</a> and cf. the\n entries about CVE-2012-5519 below.\n\n", "published": "2015-06-12T21:05:05", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00010.html", "cvelist": ["CVE-2015-1158", "CVE-2012-5519", "CVE-2015-1159"], "lastseen": "2016-09-04T11:30:36"}, {"id": "SUSE-SU-2015:1044-2", "type": "suse", "title": "Security update for cups154 (critical)", "description": "The following issues are fixed by this update:\n\n * CVE-2012-5519: privilege escalation via cross-site scripting and bad\n print job submission used to replace cupsd.conf on server (bsc#924208).\n * CVE-2015-1158: Improper Update of Reference Count\n * CVE-2015-1159: Cross-Site Scripting\n\n", "published": "2015-06-11T20:06:22", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00008.html", "cvelist": ["CVE-2015-1158", "CVE-2012-5519", "CVE-2015-1159"], "lastseen": "2016-09-04T12:47:49"}, {"id": "SUSE-SU-2015:1044-1", "type": "suse", "title": "Security update for cups154 (critical)", "description": "The following issues are fixed by this update:\n\n * CVE-2012-5519: privilege escalation via cross-site scripting and bad\n print job submission used to replace cupsd.conf on server (bsc#924208).\n * CVE-2015-1158: Improper Update of Reference Count\n * CVE-2015-1159: Cross-Site Scripting\n\n", "published": "2015-06-11T19:04:58", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00006.html", "cvelist": ["CVE-2015-1158", "CVE-2012-5519", "CVE-2015-1159"], "lastseen": "2016-09-04T12:36:14"}, {"id": "SUSE-SU-2015:1041-1", "type": "suse", "title": "Security update for cups (critical)", "description": "The following issues are fixed by this update:\n\n * CVE-2012-5519: privilege escalation via cross-site scripting and bad\n print job submission used to replace cupsd.conf on server (bsc#924208).\n * CVE-2015-1158: Improper Update of Reference Count\n * CVE-2015-1159: Cross-Site Scripting\n\n", "published": "2015-06-11T17:05:04", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00003.html", "cvelist": ["CVE-2015-1158", "CVE-2012-5519", "CVE-2015-1159"], "lastseen": "2016-09-04T11:26:30"}], "oraclelinux": [{"id": "ELSA-2015-1123", "type": "oraclelinux", "title": "cups security update", "description": "[1:1.4.2-67.1]\n- CVE-2015-1158, CVE-2015-1159, CVE-2014-9679 (bug #1229982).", "published": "2015-06-17T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2015-1123.html", "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "lastseen": "2016-09-04T11:16:53"}], "redhat": [{"id": "RHSA-2015:1123", "type": "redhat", "title": "(RHSA-2015:1123) Important: cups security update", "description": "CUPS provides a portable printing layer for Linux, UNIX, and similar\noperating systems.\n\nA string reference count bug was found in cupsd, causing premature freeing\nof string objects. An attacker can submit a malicious print job that\nexploits this flaw to dismantle ACLs protecting privileged operations,\nallowing a replacement configuration file to be uploaded which in turn\nallows the attacker to run arbitrary code in the CUPS server (CVE-2015-1158)\n\nA cross-site scripting flaw was found in the cups web templating engine. An \nattacker could use this flaw to bypass the default configuration settings \nthat bind the CUPS scheduler to the 'localhost' or loopback interface.\n(CVE-2015-1159)\n\nAn integer overflow leading to a heap-based buffer overflow was found in\nthe way cups handled compressed raster image files. An attacker could\ncreate a specially-crafted image file, which when passed via the cups\nRaster filter, could cause the cups filter to crash. (CVE-2014-9679)\n\nRed Hat would like to thank the CERT/CC for reporting CVE-2015-1158 and \nCVE-2015-1159 issues.\n\nAll cups users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing this\nupdate, the cupsd daemon will be restarted automatically.\n", "published": "2015-06-17T04:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2015:1123", "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "lastseen": "2018-04-15T14:24:52"}], "amazon": [{"id": "ALAS-2015-559", "type": "amazon", "title": "Medium: cups", "description": "**Issue Overview:**\n\nA string reference count bug was found in cupsd, causing premature freeing of string objects. An attacker can submit a malicious print job that exploits this flaw to dismantle ACLs protecting privileged operations, allowing a replacement configuration file to be uploaded which in turn allows the attacker to run arbitrary code in the CUPS server ([CVE-2015-1158 __](<https://access.redhat.com/security/cve/CVE-2015-1158>))\n\nA cross-site scripting flaw was found in the cups web templating engine. An attacker could use this flaw to bypass the default configuration settings that bind the CUPS scheduler to the 'localhost' or loopback interface. ([CVE-2015-1159 __](<https://access.redhat.com/security/cve/CVE-2015-1159>))\n\nAn integer overflow leading to a heap-based buffer overflow was found in the way cups handled compressed raster image files. An attacker could create a specially-crafted image file, which when passed via the cups Raster filter, could cause the cups filter to crash. ([CVE-2014-9679 __](<https://access.redhat.com/security/cve/CVE-2014-9679>))\n\n \n**Affected Packages:** \n\n\ncups\n\n \n**Issue Correction:** \nRun _yum update cups_ to update your system. \n\n \n**New Packages:**\n \n \n i686: \n cups-debuginfo-1.4.2-67.21.amzn1.i686 \n cups-libs-1.4.2-67.21.amzn1.i686 \n cups-php-1.4.2-67.21.amzn1.i686 \n cups-devel-1.4.2-67.21.amzn1.i686 \n cups-1.4.2-67.21.amzn1.i686 \n cups-lpd-1.4.2-67.21.amzn1.i686 \n \n src: \n cups-1.4.2-67.21.amzn1.src \n \n x86_64: \n cups-debuginfo-1.4.2-67.21.amzn1.x86_64 \n cups-php-1.4.2-67.21.amzn1.x86_64 \n cups-libs-1.4.2-67.21.amzn1.x86_64 \n cups-devel-1.4.2-67.21.amzn1.x86_64 \n cups-1.4.2-67.21.amzn1.x86_64 \n cups-lpd-1.4.2-67.21.amzn1.x86_64 \n \n \n", "published": "2015-07-07T12:34:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://alas.aws.amazon.com/ALAS-2015-559.html", "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "lastseen": "2016-09-28T21:04:09"}], "centos": [{"id": "CESA-2015:1123", "type": "centos", "title": "cups security update", "description": "**CentOS Errata and Security Advisory** CESA-2015:1123\n\n\nCUPS provides a portable printing layer for Linux, UNIX, and similar\noperating systems.\n\nA string reference count bug was found in cupsd, causing premature freeing\nof string objects. An attacker can submit a malicious print job that\nexploits this flaw to dismantle ACLs protecting privileged operations,\nallowing a replacement configuration file to be uploaded which in turn\nallows the attacker to run arbitrary code in the CUPS server (CVE-2015-1158)\n\nA cross-site scripting flaw was found in the cups web templating engine. An \nattacker could use this flaw to bypass the default configuration settings \nthat bind the CUPS scheduler to the 'localhost' or loopback interface.\n(CVE-2015-1159)\n\nAn integer overflow leading to a heap-based buffer overflow was found in\nthe way cups handled compressed raster image files. An attacker could\ncreate a specially-crafted image file, which when passed via the cups\nRaster filter, could cause the cups filter to crash. (CVE-2014-9679)\n\nRed Hat would like to thank the CERT/CC for reporting CVE-2015-1158 and \nCVE-2015-1159 issues.\n\nAll cups users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing this\nupdate, the cupsd daemon will be restarted automatically.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-June/021178.html\nhttp://lists.centos.org/pipermail/centos-announce/2015-June/021179.html\n\n**Affected packages:**\ncups\ncups-client\ncups-devel\ncups-filesystem\ncups-ipptool\ncups-libs\ncups-lpd\ncups-php\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-1123.html", "published": "2015-06-18T11:29:43", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2015-June/021178.html", "cvelist": ["CVE-2014-9679", "CVE-2015-1158", "CVE-2015-1159"], "lastseen": "2017-10-03T18:25:02"}]}}
