Description
CUPS before 1.1.21rc1 treats a Location directive in cupsd.conf as case sensitive, which allows attackers to bypass intended ACLs via a printer name containing uppercase or lowercase letters that are different from what is specified in the directive.
Product(s):
- Apple CUPS
- Apple Cups
- Apple CUPS 1.1.10-1
- Apple CUPS 1.1.10
- Apple CUPS 1.1.11
- Apple CUPS 1.1.12
- Apple CUPS 1.1.13
- Apple CUPS 1.1.14
- Apple CUPS 1.1.15
- Apple CUPS 1.1.16
- Apple CUPS 1.1.17
- Apple CUPS 1.18
- Apple CUPS 1.1.19
- Apple CUPS 1.1.19 release candidate 1
- Apple CUPS 1.1.19 release candidate 2
- Apple CUPS 1.1.19 release candidate 3
- Apple CUPS 1.1.19 release candidate 4
- Apple CUPS 1.1.19 release candidate 5
- Apple CUPS 1.1.1
- Apple CUPS 1.1.20
- Apple CUPS 1.1.20 release candidate 1
- Apple CUPS 1.1.20 release candidate 2
- Apple CUPS 1.1.20 release candidate 3
- Apple CUPS 1.1.20 release candidate 4
- Apple CUPS 1.1.20 release candidate 5
- Apple CUPS 1.1.20 release candidate 6
- Apple Cups 1.1.21 -
- Apple CUPS 1.1.2
- Apple CUPS 1.1.3
- Apple CUPS 1.1.4
- Apple CUPS 1.1.5-1
- Apple CUPS 1.1.5-2
- Apple CUPS 1.1.5
- Apple CUPS 1.1.6-1
- Apple CUPS 1.1.6-2
- Apple CUPS 1.1.6-3
- Apple CUPS 1.1.6
- Apple CUPS 1.1.7
- Apple CUPS 1.1.8
- Apple CUPS 1.1.9-1
- Apple CUPS 1.1.9
- Apple CUPS 1.1
- Canonical Ubuntu Linux 4.10
Question to Ask Vendors:
- Can you confirm whether your systems are affected by CVE-2004-2154, and if so, what steps are you currently taking to mitigate this vulnerability?
- What is your estimated timeline for fully resolving CVE-2004-2154 in your products or services, and how will you communicate updates on this issue to us as your customer?
Recommended Actions:
- Check out the advisory links provided below.