CUPS leaks print job documents to local and remote attackers. You need Linux with a printer setup and software that subscribes to printer events via IPP protocol and requests the job documents. The operation Cups-Get-Document is not protected as documented against unauthorized access. Unauthorized users are permitted to fetch documents. Upstream fix: https://github.com/OpenPrinting/cups/commit/a0c8b9c9556882f00c68b9727a95a1b6d1452913
Created cups tracking bugs for this issue: Affects: fedora-all [bug 2230497]
Hi, I would like to fix this issue for the reasons mentioned in the email which I sent as notification to secalert: - if attacker has access to cupsd (attacker got into the machine, or got into local network which subnets are configured to have access to the server, or cupsd is incorrectly configured to listen on public network and is not protected by firewall or any other means in cupsd.conf - 'Allow from' in <Limit>s and <Location>s) and finds out job id and username who printed the job, he can get the printed file in IPP response. - victim can mitigate by setting 'PreserveJobFiles No' (removes job file after printing - the default is to remove the file after one day), changing default policy (to authenticated or kerberos) or limiting means how the attacker can find out about usernames and job ids (limiting access to specific <location>s in cupsd.conf) Based on this, I'm not sure about severity of the vulnerability - I would like to know prodsec evaluation of it, so I can fix the issue accordingly. I'm putting NEEDINFO to the reporter, please switch it to a person doing the Secondary assessment. Thank you in advance!
FTR I've verified the file content is sent in IPP response with affected CUPS versions.
In reply to comment #3: > Based on this, I'm not sure about severity of the vulnerability - I would > like to know prodsec evaluation of it, so I can fix the issue accordingly. I've added a statement for change in severity from Moderate to Important for the CVE page as follows: This vulnerability is classified as important according to Red Hat's Severity Rating Classification as unauthorised users are permitted to fetch documents over local or remote network leading to confidentiality breach. https://access.redhat.com/security/updates/classification Please consider this a 'high' level in bugzilla.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2023:4765 https://access.redhat.com/errata/RHSA-2023:4765
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2023:4766 https://access.redhat.com/errata/RHSA-2023:4766
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Red Hat Enterprise Linux 8.4 Telecommunications Update Service Via RHSA-2023:4768 https://access.redhat.com/errata/RHSA-2023:4768
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Red Hat Enterprise Linux 8.2 Telecommunications Update Service Via RHSA-2023:4771 https://access.redhat.com/errata/RHSA-2023:4771
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:4769 https://access.redhat.com/errata/RHSA-2023:4769
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:4770 https://access.redhat.com/errata/RHSA-2023:4770
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:4838 https://access.redhat.com/errata/RHSA-2023:4838
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:4864 https://access.redhat.com/errata/RHSA-2023:4864
Added statement and mitigation for the CVE page https://access.redhat.com/security/cve/CVE-2023-32360