Published: 09/12/2013 Updated: 06/03/2014

CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6

VMScore: 605

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

upgrade.py in the hp-upgrade service in HP Linux Imaging and Printing (HPLIP) 3.x up to and including 3.13.11 launches a program from an http URL, which allows man-in-the-middle malicious users to execute arbitrary code by gaining control over the client-server data stream.

Vulnerable Product	Search on Vulmon	Subscribe to Product
hp linux imaging and printing project 3.11.3a
hp linux imaging and printing project 3.13.5
hp linux imaging and printing project 3.13.4
hp linux imaging and printing project 3.12.4
hp linux imaging and printing project 3.12.2
hp linux imaging and printing project 3.11.1
hp linux imaging and printing project 3.10.9
hp linux imaging and printing project 3.9.6
hp linux imaging and printing project 3.9.4
hp linux imaging and printing project 3.13.8
hp linux imaging and printing project 3.9.4b
hp linux imaging and printing project 3.13.3
hp linux imaging and printing project 3.13.2
hp linux imaging and printing project 3.11.12
hp linux imaging and printing project 3.11.10
hp linux imaging and printing project 3.10.6
hp linux imaging and printing project 3.10.5
hp linux imaging and printing project 3.9.2
hp linux imaging and printing project 3.13.7
hp linux imaging and printing project 3.13.6
hp linux imaging and printing project 3.12.10
hp linux imaging and printing project 3.12.9
hp linux imaging and printing project 3.12.6
hp linux imaging and printing project 3.11.3
hp linux imaging and printing project 3.9.10
hp linux imaging and printing project 3.9.8
hp linux imaging and printing project 3.13.10
hp linux imaging and printing project 3.13.9
hp linux imaging and printing project 3.12.11
hp linux imaging and printing project 3.11.7
hp linux imaging and printing project 3.11.5
hp linux imaging and printing project 3.10.2
hp linux imaging and printing project 3.9.12

Debian Bug report logs - #731480 hplip: CVE-2013-6427: insecure (undocumented) auto update feature Package: hplip; Maintainer for hplip is Debian Printing Team <debian-printing@listsdebianorg>; Source for hplip is src:hplip (PTS, buildd, popcon) Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Thu, 5 De ...

Several security issues were fixed in HPLIP ...

Multiple vulnerabilities have been found in the HP Linux Printing and Imaging System: Insecure temporary files, insufficient permission checks in PackageKit and the insecure hp-upgrade service has been disabled For the oldstable distribution (squeeze), these problems have been fixed in version 3106-2+squeeze2 For the stable distribution (wheezy ...

upgradepy in the hp-upgrade service in HP Linux Imaging and Printing (HPLIP) 3x through 31311 launches a program from an http URL, which allows man-in-the-middle attackers to execute arbitrary code by gaining control over the client-server data stream ...

CWE-94 https://bugzilla.novell.com/show_bug.cgi?id=853405 http://openwall.com/lists/oss-security/2013/12/05/2 http://www.debian.org/security/2013/dsa-2829 http://lists.opensuse.org/opensuse-updates/2014-01/msg00087.html http://www.ubuntu.com/usn/USN-2085-1 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731480 https://usn.ubuntu.com/2085-1/https://nvd.nist.gov https://access.redhat.com/security/cve/cve-2013-6427

CVE-2013-6427

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect