CUPS 1.4.4, when running in certain Linux distributions such as Debian GNU/Linux, stores the web interface administrator key in /var/run/cups/certs/0 using certain permissions, which allows local users in the lpadmin group to read or write arbitrary files as root by leveraging the web interface.
Platform | Package | Release Date | Advisory |
---|---|---|---|
Amazon Linux 1 | cups | 2013-03-14 22:04 | ALAS-2013-170 |
Score Type | Score | Vector | |
---|---|---|---|
Amazon Linux | CVSSv2 | 7.4 | AV:A/AC:M/Au:S/C:C/I:C/A:C |
NVD | CVSSv2 | 7.2 | AV:L/AC:L/Au:N/C:C/I:C/A:C |