Command injection in cups-filters
CVE-2023-24805

8.8HIGH

Key Information:

Vendor
Openprinting
Status
Cups-filters
Vendor
CVE Published:
17 May 2023

Summary

The cups-filters package, utilized for managing the CUPS printing service on non-macOS systems, contains a vulnerability that could lead to remote code execution. This issue arises from the improper handling of unsanitized input in the Backend Error Handler (beh). When an attacker gains network access to a vulnerable print server, they can exploit this vulnerability to inject arbitrary system commands. This unauthorized execution occurs within the context of the server, potentially allowing the attacker to manipulate the system. Users are advised to promptly update to the patched version, which includes critical security fixes, and to limit access to network printers as a precautionary measure.

Affected Version(s)

cups-filters <= 2.0rc1

References

https://github.com/OpenPrinting/cups-filters/security/adv...
x_refsource_CONFIRM
https://github.com/OpenPrinting/cups-filters/commit/8f274...
x_refsource_MISC
https://lists.fedoraproject.org/archives/list/package-ann...

EPSS Score

9% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2023-24805 : Command injection in cups-filters | SecurityVulnerability.io