Information Disclosure Vulnerability in CUPS on Apple Systems
CVE-2010-1748

Currently unrated

Key Information:

Vendor: Apple
Status: Cups
Vendor: CVE Published:; 17 June 2010

Summary

The cgi_initialize_string function in CUPS, used on various Apple platforms, has a vulnerability that improperly handles parameter values containing a '%' character lacking the required hex encoding. This flaw allows attackers to exploit crafted requests to gain unauthorized access to sensitive information stored in the cupsd process memory. Notable examples of this exploit include crafted URL requests that may reveal internal data, posing significant risks to system security.

References

http://lists.apple.com/archives/security-announce/2010//J...

vendor-advisoryx_refsource_APPLE

http://www.mandriva.com/security/advisories?name=MDVSA-20...

vendor-advisoryx_refsource_MANDRIVA

http://www.vupen.com/english/advisories/2010/1481

vdb-entryx_refsource_VUPEN

EPSS Score

13% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
Jun 17, 2010
Vulnerability Reserved
May 6, 2010