CVE-2019-14306

Vulnerability

The Ricoh SP C250DN printer, firmware version 1.06, contains an improper authentication vulnerability (CWE-287) classified as CVE-2019-14306. The issue resides in the device's management interface, where the debugging web page does not properly authenticate users before granting access to sensitive configuration data. An adjacent attacker can access this page without any credentials, leading to information disclosure [1].

Exploitation

An attacker needs network adjacency to the affected device (AV:A) and no authentication (PR:N). No user interaction is required. The attacker can directly browse to the debugging web page exposed on the device's network interface, which fails to enforce authentication checks, thereby allowing retrieval of device settings information [1].

Impact

Successful exploitation results in unauthorized disclosure of the device's settings information. The impact is limited to confidentiality (NIST: C), with no effect on integrity or availability. The CVSS v3 base score is 6.5 (medium), and the CVSS v2 score is 3.3 (low) [1].

Mitigation

Ricoh has released firmware updates to address the vulnerability. Users should apply the appropriate firmware update for the Ricoh SP C250DN as provided in the vendor's advisory [1]. No workarounds are mentioned in available references.