Local File Read Vulnerability in CUPS Affected by Symlink Attack
CVE-2013-6891

Currently unrated

Key Information:

Vendor: Apple
Status: Cups
Vendor: CVE Published:; 26 January 2014

Summary

The local file read vulnerability in CUPS prior to version 1.7.1 allows attackers to exploit the lppasswd command, which runs with setuid privileges. By manipulating the HOME environment variable in conjunction with a symlink attack that targets .cups/client.conf, local users can read sensitive portions of arbitrary files on the system. This issue raises significant security concerns as it can lead to exposure of confidential information and potential further exploitation.

References

http://advisories.mageia.org/MGASA-2014-0021.html

x_refsource_CONFIRM

http://www.cups.org/blog.php?L704

x_refsource_CONFIRM

http://www.ubuntu.com/usn/USN-2082-1

vendor-advisoryx_refsource_UBUNTU

Timeline

Vulnerability published
Jan 26, 2014
Vulnerability Reserved
Nov 28, 2013