SB2019010844 - Cross-site request forgery in cups (Alpine package)
Published: January 8, 2019
Security Bulletin ID
SB2019010844
CSH Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Cross-site request forgery (CVE-ID: CVE-2018-4700)
CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to perform CSRF attack.
The weakness exists in the CUPS printing server due to insufficient CSRF protections. A remote attacker can create a specially crafted HTML page or URL, trick the victim into visiting it, gain access to the system and perform arbitrary actions.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=1e85ba7cf47c73eaf15e950267dba27e92ae3d1d
- https://git.alpinelinux.org/aports/commit/?id=aab6fd6ad9335b5dcd7ffbb1541583e2f722114d
- https://git.alpinelinux.org/aports/commit/?id=d76f1a5eb2c5b7d28084d2409d4c37b49a3892fe
- https://git.alpinelinux.org/aports/commit/?id=68360d670a4378ffa3a8e120bb4e9b7bb36267f5
- https://git.alpinelinux.org/aports/commit/?id=2f186b4a430de0eab78872fa2d1b61c3d32d45d2
- https://git.alpinelinux.org/aports/commit/?id=671ec375ba7ca1800eb669d70251fedfed2e8cd7
- https://git.alpinelinux.org/aports/commit/?id=69b77bf7b39d42f173925a274c637dd34d502781