Vulnerability Description
The web interface (cgi-bin/admin.c) in CUPS before 1.3.8 uses the guest username when a user is not logged on to the web server, which makes it easier for remote attackers to bypass intended policy and conduct CSRF attacks via the (1) add and (2) cancel RSS subscription functions.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apple | Cups | <= 1.3.7 |
Related Weaknesses (CWE)
References
- http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00002.html
- http://www.cups.org/str.php?L2774
- http://www.gnucitizen.org/blog/pwning-ubuntu-via-cups/Exploit
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:028
- http://www.openwall.com/lists/oss-security/2008/11/19/3
- http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00002.html
- http://www.cups.org/str.php?L2774
- http://www.gnucitizen.org/blog/pwning-ubuntu-via-cups/Exploit
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:028
- http://www.openwall.com/lists/oss-security/2008/11/19/3
FAQ
What is CVE-2008-5184?
CVE-2008-5184 is a vulnerability with a CVSS score of 10.0 (HIGH). The web interface (cgi-bin/admin.c) in CUPS before 1.3.8 uses the guest username when a user is not logged on to the web server, which makes it easier for remote attackers to bypass intended policy an...
How severe is CVE-2008-5184?
CVE-2008-5184 has been rated HIGH with a CVSS base score of 10.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2008-5184?
Check the references section above for vendor advisories and patch information. Affected products include: Apple Cups.