CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:P/A:P
EPSS
Percentile
83.5%
The web interface for CUPS before 1.3.10 does not validate the HTTP Host
header in a client request, which makes it easier for remote attackers to
conduct DNS rebinding attacks.
Author | Note |
---|---|
kees | cups/CVE-2009-0164.patch |
jdstrand | patch is large, could break existing configurations if the auto-discovery of alternate names does not work (eg, with CNAMES), and requires a coordinated attack. The vulnerability appears to be mostly information leakage, but might also allow starting and stopping of printers. An attacker trying to perform actions via the web interface should be challenged by the authentication system. The new ServerAlias directive will be a part of 1.3.10. |