Created cups tracking bugs for this issue:

Affects: fedora-all [bug 2230497]

Hi,

I would like to fix this issue for the reasons mentioned in the email which I sent as notification to secalert:

- if attacker has access to cupsd (attacker got into the machine, or got into local network which subnets are configured to have access to the server, or cupsd is incorrectly configured to listen on public network and is not protected by firewall or any other means in cupsd.conf - 'Allow from' in <Limit>s and <Location>s) and finds out job id and username who printed the job, he can get the printed file in IPP response.

- victim can mitigate by setting 'PreserveJobFiles No' (removes job file after printing - the default is to remove the file after one day), changing default policy (to authenticated or kerberos) or limiting means how the attacker can find out about usernames and job ids (limiting access to specific <location>s in cupsd.conf)

Based on this, I'm not sure about severity of the vulnerability - I would like to know prodsec evaluation of it, so I can fix the issue accordingly.

I'm putting NEEDINFO to the reporter, please switch it to a person doing the Secondary assessment.

Thank you in advance!

FTR I've verified the file content is sent in IPP response with affected CUPS versions.

In reply to comment #3:
 
> Based on this, I'm not sure about severity of the vulnerability - I would
> like to know prodsec evaluation of it, so I can fix the issue accordingly.

I've added a statement for change in severity from Moderate to Important for the CVE page as follows:

This vulnerability is classified as important according to Red Hat's Severity Rating Classification as unauthorised users are permitted to fetch documents over local or remote network leading to confidentiality breach.

https://access.redhat.com/security/updates/classification

Please consider this a 'high' level in bugzilla.

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:4765 https://access.redhat.com/errata/RHSA-2023:4765

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:4766 https://access.redhat.com/errata/RHSA-2023:4766

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:4768 https://access.redhat.com/errata/RHSA-2023:4768

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:4771 https://access.redhat.com/errata/RHSA-2023:4771

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:4769 https://access.redhat.com/errata/RHSA-2023:4769

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:4770 https://access.redhat.com/errata/RHSA-2023:4770

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:4838 https://access.redhat.com/errata/RHSA-2023:4838

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:4864 https://access.redhat.com/errata/RHSA-2023:4864

Added statement and mitigation for the CVE page

https://access.redhat.com/security/cve/CVE-2023-32360