CVE Vulnerabilities

CVE-2016-2244

Exposure of Sensitive Information to an Unauthorized Actor

Published: Mar 04, 2016 | Modified: Dec 03, 2016
CVSS 3.x
5.9
MEDIUM
Source:
NVD
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 2.x
5 MEDIUM
AV:N/AC:L/Au:N/C:P/I:N/A:N
RedHat/V2
RedHat/V3
Ubuntu

HP LaserJet printers and MFPs and OfficeJet Enterprise printers with firmware before 3.7.01 allow remote attackers to obtain sensitive information via unspecified vectors.

Weakness

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Affected Software

Name Vendor Start Version End Version
A2w75a Hp - (including) - (including)
A2w76a Hp - (including) - (including)
A2w77a Hp - (including) - (including)
A2w78a Hp - (including) - (including)
A2w79a Hp - (including) - (including)
B3g85a Hp - (including) - (including)
B5l04a Hp - (including) - (including)
B5l05a Hp - (including) - (including)
B5l07a Hp - (including) - (including)
C2s11a Hp - (including) - (including)
C2s12a Hp - (including) - (including)
Ca251a Hp - (including) - (including)
Cc522a Hp - (including) - (including)
Cc523a Hp - (including) - (including)
Cc524a Hp - (including) - (including)
Cd644a Hp - (including) - (including)
Cd645a Hp - (including) - (including)
Cd646a Hp - (including) - (including)
Ce989a Hp - (including) - (including)
Ce990a Hp - (including) - (including)
Ce991a Hp - (including) - (including)
Ce992a Hp - (including) - (including)
Ce993a Hp - (including) - (including)
Ce994a Hp - (including) - (including)
Ce995a Hp - (including) - (including)
Ce996a Hp - (including) - (including)
Cf066a Hp - (including) - (including)
Cf067a Hp - (including) - (including)
Cf068a Hp - (including) - (including)
Cf069a Hp - (including) - (including)
Cf081a Hp - (including) - (including)
Cf082a Hp - (including) - (including)
Cf083a Hp - (including) - (including)
Cf116a Hp - (including) - (including)
Cf117a Hp - (including) - (including)
Cf118a Hp - (including) - (including)
Cf235a Hp - (including) - (including)
Cf236a Hp - (including) - (including)
Cf238a Hp - (including) - (including)
Cf367a Hp - (including) - (including)
Cz244a Hp - (including) - (including)
Cz245a Hp - (including) - (including)
Cz249a Hp - (including) - (including)
Cz250a Hp - (including) - (including)
Cz255a Hp - (including) - (including)
Cz256a Hp - (including) - (including)
Cz257a Hp - (including) - (including)
Cz258a Hp - (including) - (including)
D3l08a Hp - (including) - (including)
D3l09a Hp - (including) - (including)
D3l10a Hp - (including) - (including)
D7p70a Hp - (including) - (including)
D7p71a Hp - (including) - (including)
J7x28a Hp - (including) - (including)

Extended Description

There are many different kinds of mistakes that introduce information exposures. The severity of the error can range widely, depending on the context in which the product operates, the type of sensitive information that is revealed, and the benefits it may provide to an attacker. Some kinds of sensitive information include:

Information might be sensitive to different parties, each of which may have their own expectations for whether the information should be protected. These parties include:

Information exposures can occur in different ways:

It is common practice to describe any loss of confidentiality as an “information exposure,” but this can lead to overuse of CWE-200 in CWE mapping. From the CWE perspective, loss of confidentiality is a technical impact that can arise from dozens of different weaknesses, such as insecure file permissions or out-of-bounds read. CWE-200 and its lower-level descendants are intended to cover the mistakes that occur in behaviors that explicitly manage, store, transfer, or cleanse sensitive information.

Potential Mitigations

  • Compartmentalize the system to have “safe” areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area.
  • Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

References