Vulnerability CVE-2008-4419


Published: 2009-02-04   Modified: 2012-02-12

Description:
Directory traversal vulnerability in the HP JetDirect web administration interface in the HP-ChaiSOE 1.0 embedded web server on the LaserJet 9040mfp, LaserJet 9050mfp, and Color LaserJet 9500mfp before firmware 08.110.9; LaserJet 4345mfp and 9200C Digital Sender before firmware 09.120.9; Color LaserJet 4730mfp before firmware 46.200.9; LaserJet 2410, LaserJet 2420, and LaserJet 2430 before firmware 20080819 SPCL112A; LaserJet 4250 and LaserJet 4350 before firmware 20080819 SPCL015A; and LaserJet 9040 and LaserJet 9050 before firmware 20080819 SPCL110A allows remote attackers to read arbitrary files via directory traversal sequences in the URI.

See advisories in our WLB2 database:
Topic
Author
Date
High
HP JetDirect Web Administration Directory Traversal
ddifrontline
07.02.2009

Type:

CWE-22

(Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'))

CVSS2 => (AV:N/AC:L/Au:N/C:C/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.8/10
6.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
None
None
Affected software
HP -> 9200c digital sender 
HP -> Color laserjet 4370mfp 
HP -> Color laserjet 9500mfp 
HP -> Laserjet 2410 
HP -> Laserjet 2420 
HP -> Laserjet 2430 
HP -> Laserjet 4250 
HP -> Laserjet 4345mfp 
HP -> Laserjet 4350 
HP -> Laserjet 9040 
HP -> Laserjet 9040mfp 
HP -> Laserjet 9050 
HP -> Laserjet 9050mfp 

 References:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01623905
http://www.securityfocus.com/archive/1/500657/100/0/threaded
http://www.securityfocus.com/bid/33611
http://www.securitytracker.com/id?1021687
http://www.vupen.com/english/advisories/2009/0341

Copyright 2024, cxsecurity.com

 

Back to Top