CVE-2014-3537

CUPS < 1.7.4 - Arbitrary File Read via Symlink Attack in RSS Cache

Title source: llm
STIX 2.1

Description

The web interface in CUPS before 1.7.4 allows local users in the lp group to read arbitrary files via a symlink attack on a file in /var/cache/cups/rss/.

References (15)

Core 15
Core References
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2014-July/135528.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/60273
Vendor Advisory x_refsource_confirm
http://www.cups.org/blog.php?L724
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-2293-1
Third Party Advisory vendor-advisory x_refsource_apple
http://archives.neohapsis.com/archives/bugtraq/2014-10/0101.html
Vendor Advisory vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/68788
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/60787
Various Sources x_refsource_confirm
http://www.cups.org/str.php?L4450
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1115576
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/59945
Vendor Advisory x_refsource_confirm
https://support.apple.com/kb/HT6535
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1030611
Third Party Advisory x_refsource_confirm
http://advisories.mageia.org/MGASA-2014-0313.html
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2015:108
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2014-1388.html

Scores

EPSS 0.0038
EPSS Percentile 29.5%

Details

CWE
CWE-59
Status published
Products (9)
apple/cups 1.7 rc1
apple/cups 1.7.0
apple/cups 1.7.1 (2 CPE variants)
apple/cups 1.7.2
apple/cups < 1.7.3
canonical/ubuntu_linux 10.04
canonical/ubuntu_linux 12.04
canonical/ubuntu_linux 14.04
fedoraproject/fedora 20
Published Jul 23, 2014
Tracked Since Feb 18, 2026