Skip to content
This repository was archived by the owner on Mar 10, 2026. It is now read-only.
This repository was archived by the owner on Mar 10, 2026. It is now read-only.

OPTIONS requests expose what other methods are supported #5540

Description

@jdalls

CUPS project Security,

Has anyone reported the below issue and provided a solution to resolve. I did the internet research and I can’t find anything, you guys are my last hope.
I am NOT a programmer. The best I can do is upgrade CUPS to the latest version.

Thanks for your help!

This issue was highlighted by our network vulnerability scanner. Problem Management(PM) ticket PM60976.

“Web servers that respond to the OPTIONS HTTP method expose what other methods are supported by the web server, allowing attackers to narrow and intensify their efforts.”

The method I used to test this was telnet. This is the response I get from running the telnet command.

HTTP/1.0 200 OK
Date: Wed, 06 Mar 2019 14:22:42 GMT
Server: CUPS/1.6 IPP/2.1
Content-Language: en_US
Allow: GET, HEAD, OPTIONS, POST, PUT
Content-Length: 0

I found many solutions to disable “OPTIONS” for Apache, Apache Tomcat & IIS but nothing for CUPS.
I reviewed the cupsd.conf and didn’t see any options.

Jim

Metadata

Metadata

Assignees

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions