CVE-2009-0164

2009-04-2400:00:00

ubuntu.com

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:P/A:P

0.01 Low

EPSS

Percentile

83.2%

JSON

The web interface for CUPS before 1.3.10 does not validate the HTTP Host
header in a client request, which makes it easier for remote attackers to
conduct DNS rebinding attacks.

Notes

Author	Note
kees	cups/CVE-2009-0164.patch
jdstrand	patch is large, could break existing configurations if the auto-discovery of alternate names does not work (eg, with CNAMES), and requires a coordinated attack. The vulnerability appears to be mostly information leakage, but might also allow starting and stopping of printers. An attacker trying to perform actions via the web interface should be challenged by the authentication system. The new ServerAlias directive will be a part of 1.3.10.

Author

Note

kees

cups/CVE-2009-0164.patch

jdstrand

patch is large, could break existing configurations if the auto-discovery of alternate names does not work (eg, with CNAMES), and requires a coordinated attack. The vulnerability appears to be mostly information leakage, but might also allow starting and stopping of printers. An attacker trying to perform actions via the web interface should be challenged by the authentication system. The new ServerAlias directive will be a part of 1.3.10.