Red Hat Bugzilla – Bug 473915
CVE-2008-5184 cups: improper use of the 'guest' username in the web UI, when user not logged on to the server
Last modified: 2010-03-29 04:44:13 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-5184 to
the following vulnerability:
The web interface (cgi-bin/admin.c) in CUPS before 1.3.8 uses the
guest username when a user is not logged on to the web server, which
makes it easier for remote attackers to bypass intended policy and
conduct CSRF attacks via the (1) add and (2) cancel RSS subscription
This issue did not affect cups versions as shipped with Red Hat Enterprise Linux 3 and 4. It did not affect 1.2.x version of cups shipped with Red Hat Enterprise Linux. Those versions do not support RSS subscriptions.
cups was updated to version 1.3.7 in Red Hat Enterprise Linux 5.3. Packages released in RHEL 5.3 include a patch for this issue and are not affected by this flaw.