The web interface in CUPS before 1.7.4 allows local users in the lp group to read arbitrary files via a symlink attack on a file in /var/cache/cups/rss/.
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Cups | Apple | * | 1.7.3 (including) |
Cups | Apple | 1.7-rc1 (including) | 1.7-rc1 (including) |
Cups | Apple | 1.7.0 (including) | 1.7.0 (including) |
Cups | Apple | 1.7.1 (including) | 1.7.1 (including) |
Cups | Apple | 1.7.1-b1 (including) | 1.7.1-b1 (including) |
Cups | Apple | 1.7.2 (including) | 1.7.2 (including) |