CVE-2009-0164

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

The web interface for CUPS before 1.3.10 does not validate the HTTP Host header in a client request, which makes it easier for remote attackers to conduct DNS rebinding attacks.

References

http://bugs.gentoo.org/show_bug.cgi?id=263070

http://lists.apple.com/archives/security-announce/2009/May/msg00002.html

http://secunia.com/advisories/35074

http://security.gentoo.org/glsa/glsa-200904-20.xml

http://support.apple.com/kb/HT3549

http://wiki.rpath.com/Advisories:rPSA-2009-0061

http://www.cups.org/articles.php?L582

http://www.cups.org/str.php?L3118

http://www.securityfocus.com/archive/1/502750/100/0/threaded

http://www.securityfocus.com/bid/34665

http://www.us-cert.gov/cas/techalerts/TA09-133A.html

http://www.vupen.com/english/advisories/2009/1297

https://bugzilla.redhat.com/show_bug.cgi?id=490597

Details

Source: MITRE

Published: 2009-04-24

Updated: 2018-10-11

Type: CWE-20

Risk Information

CVSS v2

Base Score: 6.4

Vector: AV:N/AC:L/Au:N/C:N/I:P/A:P

Impact Score: 4.9

Exploitability Score: 10

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:apple:cups:1.1:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.1:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.2:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.3:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.4:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.5:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.5-1:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.5-2:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.6:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.6-1:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.6-2:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.6-3:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.7:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.8:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.9:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.9-1:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.10:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.10-1:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.11:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.12:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.13:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.14:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.15:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.16:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.17:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.18:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.19:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.19:rc1:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.19:rc2:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.19:rc3:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.19:rc4:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.19:rc5:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.20:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.20:rc1:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.20:rc2:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.20:rc3:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.20:rc4:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.20:rc5:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.20:rc6:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.21:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.21:rc1:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.21:rc2:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.22:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.22:rc1:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.22:rc2:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.23:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.1.23:rc1:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.2:b1:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.2:b2:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.2:rc1:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.2:rc2:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.2:rc3:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.2.0:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.2.1:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.2.2:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.2.3:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.2.4:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.2.5:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.2.6:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.2.7:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.2.8:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.2.9:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.2.10:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.2.11:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.2.12:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.3:b1:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.3:rc1:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.3:rc2:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.3.1:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.3.2:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.3.3:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.3.4:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.3.5:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.3.6:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.3.7:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:1.3.8:*:*:*:*:*:*:*

cpe:2.3:a:apple:cups:*:*:*:*:*:*:*:* versions up to 1.3.9 (inclusive)

Tenable Plugins

View all (11 total)

IDNameProductFamilySeverity
38744Mac OS X 10.5.x < 10.5.7 Multiple VulnerabilitiesNessusMacOS X Local Security Checks
critical
38743Mac OS X Multiple Vulnerabilities (Security Update 2009-002)NessusMacOS X Local Security Checks
critical
38705FreeBSD : cups -- remote code execution and DNS rebinding (736e55bc-39bb-11de-a493-001b77d09812)NessusFreeBSD Local Security Checks
medium
38166Slackware 12.0 / 12.1 / 12.2 / current : cups (SSA:2009-116-01)NessusSlackware Local Security Checks
medium
38161GLSA-200904-20 : CUPS: Multiple vulnerabilitiesNessusGentoo Local Security Checks
medium
37075Fedora 10 : cups-1.3.10-1.fc10 (2009-3769)NessusFedora Local Security Checks
medium
36209Fedora 9 : cups-1.3.10-1.fc9 (2009-3753)NessusFedora Local Security Checks
medium
36183CUPS < 1.3.10 Multiple VulnerabilitiesNessusMisc.
high
4771CUPS < 1.3.10 Multiple OverflowsNessus Network MonitorWeb Servers
high
5023Mac OS X 10.5 < 10.5.7 Multiple VulnerabilitiesNessus Network MonitorGeneric
critical
800792Mac OS X 10.5 < 10.5.7 Multiple VulnerabilitiesLog Correlation EngineOperating System Detection
high