{ "version": "1", "package": [ { "name": "cups", "layer": "meta", "version": "2.4.10", "products": [ { "product": "cups", "cvesInRecord": "Yes" } ], "issue": [ { "id": "CVE-2001-0194", "summary": "Buffer overflow in httpGets function in CUPS 1.1.5 allows remote attackers to execute arbitrary commands via a long input line.", "scorev2": "10.0", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2001-0194" }, { "id": "CVE-2001-1332", "summary": "Buffer overflows in Linux CUPS before 1.1.6 may allow remote attackers to execute arbitrary code.", "scorev2": "7.5", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1332" }, { "id": "CVE-2001-1333", "summary": "Linux CUPS before 1.1.6 does not securely handle temporary files, possibly due to a symlink vulnerability that could allow local users to overwrite files.", "scorev2": "1.2", "scorev3": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2001-1333" }, { "id": "CVE-2002-0063", "summary": "Buffer overflow in ippRead function of CUPS before 1.1.14 may allow attackers to execute arbitrary code via long attribute names or language values.", "scorev2": "7.5", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2002-0063" }, { "id": "CVE-2002-1366", "summary": "Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 allows local users with lp privileges to create or overwrite arbitrary files via file race conditions, as demonstrated by ice-cream.", "scorev2": "6.2", "scorev3": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2002-1366" }, { "id": "CVE-2002-1367", "summary": "Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 allows remote attackers to add printers without authentication via a certain UDP packet, which can then be used to perform unauthorized activities such as stealing the local root certificate for the administration server via a \"need authorization\" page, as demonstrated by new-coke.", "scorev2": "10.0", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2002-1367" }, { "id": "CVE-2002-1368", "summary": "Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code by causing negative arguments to be fed into memcpy() calls via HTTP requests with (1) a negative Content-Length value or (2) a negative length in a chunked transfer encoding.", "scorev2": "7.5", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2002-1368" }, { "id": "CVE-2002-1369", "summary": "jobs.c in Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 does not properly use the strncat function call when processing the options string, which allows remote attackers to execute arbitrary code via a buffer overflow attack.", "scorev2": "10.0", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2002-1369" }, { "id": "CVE-2002-1371", "summary": "filters/image-gif.c in Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 does not properly check for zero-length GIF images, which allows remote attackers to execute arbitrary code via modified chunk headers, as demonstrated by nogif.", "scorev2": "7.5", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2002-1371" }, { "id": "CVE-2002-1372", "summary": "Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 does not properly check the return values of various file and socket operations, which could allow a remote attacker to cause a denial of service (resource exhaustion) by causing file descriptors to be assigned and not released, as demonstrated by fanta.", "scorev2": "5.0", "scorev3": "7.5", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2002-1372" }, { "id": "CVE-2002-1383", "summary": "Multiple integer overflows in Common Unix Printing System (CUPS) 1.1.14 through 1.1.17 allow remote attackers to execute arbitrary code via (1) the CUPSd HTTP interface, as demonstrated by vanilla-coke, and (2) the image handling code in CUPS filters, as demonstrated by mksun.", "scorev2": "10.0", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2002-1383" }, { "id": "CVE-2002-1384", "summary": "Integer overflow in pdftops, as used in Xpdf 2.01 and earlier, xpdf-i, and CUPS before 1.1.18, allows local users to execute arbitrary code via a ColorSpace entry with a large number of elements, as demonstrated by cups-pdf.", "scorev2": "7.2", "scorev3": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2002-1384" }, { "id": "CVE-2003-0788", "summary": "Unknown vulnerability in the Internet Printing Protocol (IPP) implementation in CUPS before 1.1.19 allows remote attackers to cause a denial of service (CPU consumption from a \"busy loop\") via certain inputs to the IPP port (TCP 631).", "scorev2": "5.0", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2003-0788" }, { "id": "CVE-2004-0558", "summary": "The Internet Printing Protocol (IPP) implementation in CUPS before 1.1.21 allows remote attackers to cause a denial of service (service hang) via a certain UDP packet to the IPP port.", "scorev2": "5.0", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0558" }, { "id": "CVE-2004-0888", "summary": "Multiple integer overflows in xpdf 2.0 and 3.0, and other packages that use xpdf code such as CUPS, gpdf, and kdegraphics, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code, a different set of vulnerabilities than those identified by CVE-2004-0889.", "scorev2": "10.0", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0888" }, { "id": "CVE-2004-0889", "summary": "Multiple integer overflows in xpdf 3.0, and other packages that use xpdf code such as CUPS, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code, a different set of vulnerabilities than those identified by CVE-2004-0888.", "scorev2": "10.0", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0889" }, { "id": "CVE-2004-0923", "summary": "CUPS 1.1.20 and earlier records authentication information for a device URI in the error_log file, which allows local users to obtain user names and passwords.", "scorev2": "2.1", "scorev3": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0923" }, { "id": "CVE-2004-0924", "summary": "NetInfo Manager on Mac OS X 10.3.x through 10.3.5, after an initial root login, reports the root account as being disabled, even when it has not.", "scorev2": "5.0", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0924" }, { "id": "CVE-2004-0926", "summary": "Heap-based buffer overflow in Apple QuickTime on Mac OS 10.2.8 through 10.3.5 may allow remote attackers to execute arbitrary code via a certain BMP image.", "scorev2": "10.0", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0926" }, { "id": "CVE-2004-0927", "summary": "ServerAdmin in Mac OS X 10.2.8 through 10.3.5 uses the same example self-signed certificate on each system, which allows remote attackers to decrypt sessions.", "scorev2": "5.0", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-0927" }, { "id": "CVE-2004-1125", "summary": "Buffer overflow in the Gfx::doImage function in Gfx.cc for xpdf 3.00, and other products that share code such as tetex-bin and kpdf in KDE 3.2.x to 3.2.3 and 3.3.x to 3.3.2, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted PDF file that causes the boundaries of a maskColors array to be exceeded.", "scorev2": "9.3", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1125" }, { "id": "CVE-2004-1267", "summary": "Buffer overflow in the ParseCommand function in hpgl-input.c in the hpgltops program for CUPS 1.1.22 allows remote attackers to execute arbitrary code via a crafted HPGL file.", "scorev2": "6.5", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1267" }, { "id": "CVE-2004-1268", "summary": "lppasswd in CUPS 1.1.22 ignores write errors when modifying the CUPS passwd file, which allows local users to corrupt the file by filling the associated file system and triggering the write errors.", "scorev2": "2.1", "scorev3": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1268" }, { "id": "CVE-2004-1269", "summary": "lppasswd in CUPS 1.1.22 does not remove the passwd.new file if it encounters a file-size resource limit while writing to passwd.new, which causes subsequent invocations of lppasswd to fail.", "scorev2": "5.0", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1269" }, { "id": "CVE-2004-1270", "summary": "lppasswd in CUPS 1.1.22, when run in environments that do not ensure that file descriptors 0, 1, and 2 are open when lppasswd is called, does not verify that the passwd.new file is different from STDERR, which allows local users to control output to passwd.new via certain user input that triggers an error message.", "scorev2": "2.1", "scorev3": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-1270" }, { "id": "CVE-2004-2154", "summary": "CUPS before 1.1.21rc1 treats a Location directive in cupsd.conf as case sensitive, which allows attackers to bypass intended ACLs via a printer name containing uppercase or lowercase letters that are different from what is specified in the directive.", "scorev2": "7.5", "scorev3": "9.8", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2004-2154" }, { "id": "CVE-2005-0206", "summary": "The patch for integer overflow vulnerabilities in Xpdf 2.0 and 3.0 (CVE-2004-0888) is incomplete for 64-bit architectures on certain Linux distributions such as Red Hat, which could leave Xpdf users exposed to the original vulnerabilities.", "scorev2": "7.5", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-0206" }, { "id": "CVE-2005-2525", "summary": "CUPS in Mac OS X 10.3.9 and 10.4.2 does not properly close file descriptors when handling multiple simultaneous print jobs, which allows remote attackers to cause a denial of service (printing halt).", "scorev2": "5.0", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2525" }, { "id": "CVE-2005-2526", "summary": "CUPS in Mac OS X 10.3.9 and 10.4.2 allows remote attackers to cause a denial of service (CPU consumption) by sending a partial IPP request and closing the connection.", "scorev2": "5.0", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2526" }, { "id": "CVE-2005-2874", "summary": "The is_path_absolute function in scheduler/client.c for the daemon in CUPS before 1.1.23 allows remote attackers to cause a denial of service (CPU consumption by tight loop) via a \"..\\..\" URL in an HTTP request.", "scorev2": "5.0", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-2874" }, { "id": "CVE-2005-3624", "summary": "The CCITTFaxStream::CCITTFaxStream function in Stream.cc for xpdf, gpdf, kpdf, pdftohtml, poppler, teTeX, CUPS, libextractor, and others allows attackers to corrupt the heap via negative or large integers in a CCITTFaxDecode stream, which lead to integer overflows and integer underflows.", "scorev2": "5.0", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3624" }, { "id": "CVE-2005-3625", "summary": "Xpdf, as used in products such as gpdf, kpdf, pdftohtml, poppler, teTeX, CUPS, libextractor, and others, allows attackers to cause a denial of service (infinite loop) via streams that end prematurely, as demonstrated using the (1) CCITTFaxDecode and (2) DCTDecode streams, aka \"Infinite CPU spins.\"", "scorev2": "10.0", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3625" }, { "id": "CVE-2005-3626", "summary": "Xpdf, as used in products such as gpdf, kpdf, pdftohtml, poppler, teTeX, CUPS, libextractor, and others, allows attackers to cause a denial of service (crash) via a crafted FlateDecode stream that triggers a null dereference.", "scorev2": "5.0", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-3626" }, { "id": "CVE-2005-4873", "summary": "Multiple stack-based buffer overflows in the phpcups PHP module for CUPS 1.1.23rc1 might allow context-dependent attackers to execute arbitrary code via vectors that result in long function parameters, as demonstrated by the cups_get_dest_options function in phpcups.c.", "scorev2": "7.5", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2005-4873" }, { "id": "CVE-2007-0720", "summary": "The CUPS service on multiple platforms allows remote attackers to cause a denial of service (service hang) via a \"partially-negotiated\" SSL connection, which prevents other requests from being accepted.", "scorev2": "5.0", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-0720" }, { "id": "CVE-2007-3387", "summary": "Integer overflow in the StreamPredictor::StreamPredictor function in xpdf 3.02, as used in (1) poppler before 0.5.91, (2) gpdf before 2.8.2, (3) kpdf, (4) kdegraphics, (5) CUPS, (6) PDFedit, and other products, might allow remote attackers to execute arbitrary code via a crafted PDF file that triggers a stack-based buffer overflow in the StreamPredictor::getNextLine function.", "scorev2": "6.8", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-3387" }, { "id": "CVE-2007-4045", "summary": "The CUPS service, as used in SUSE Linux before 20070720 and other Linux distributions, allows remote attackers to cause a denial of service via unspecified vectors related to an incomplete fix for CVE-2007-0720 that introduced a different denial of service problem in SSL negotiation.", "scorev2": "5.0", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4045" }, { "id": "CVE-2007-4351", "summary": "Off-by-one error in the ippReadIO function in cups/ipp.c in CUPS 1.3.3 allows remote attackers to cause a denial of service (crash) via a crafted (1) textWithLanguage or (2) nameWithLanguage Internet Printing Protocol (IPP) tag, leading to a stack-based buffer overflow.", "scorev2": "10.0", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-4351" }, { "id": "CVE-2007-5849", "summary": "Integer underflow in the asn1_get_string function in the SNMP back end (backend/snmp.c) for CUPS 1.2 through 1.3.4 allows remote attackers to execute arbitrary code via a crafted SNMP response that triggers a stack-based buffer overflow.", "scorev2": "9.3", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2007-5849" }, { "id": "CVE-2008-0047", "summary": "Heap-based buffer overflow in the cgiCompileSearch function in CUPS 1.3.5, and other versions including the version bundled with Apple Mac OS X 10.5.2, when printer sharing is enabled, allows remote attackers to execute arbitrary code via crafted search expressions.", "scorev2": "9.3", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-0047" }, { "id": "CVE-2008-0053", "summary": "Multiple buffer overflows in the HP-GL/2-to-PostScript filter in CUPS before 1.3.6 might allow remote attackers to execute arbitrary code via a crafted HP-GL/2 file.", "scorev2": "10.0", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-0053" }, { "id": "CVE-2008-0596", "summary": "Memory leak in CUPS before 1.1.22, and possibly other versions, allows remote attackers to cause a denial of service (memory consumption and daemon crash) via a large number of requests to add and remove shared printers.", "scorev2": "5.0", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-0596" }, { "id": "CVE-2008-0597", "summary": "Use-after-free vulnerability in CUPS before 1.1.22, and possibly other versions, allows remote attackers to cause a denial of service (crash) via crafted IPP packets.", "scorev2": "5.0", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-0597" }, { "id": "CVE-2008-0882", "summary": "Double free vulnerability in the process_browse_data function in CUPS 1.3.5 allows remote attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via crafted UDP Browse packets to the cupsd port (631/udp), related to an unspecified manipulation of a remote printer. NOTE: some of these details are obtained from third party information.", "scorev2": "10.0", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-0882" }, { "id": "CVE-2008-1033", "summary": "The scheduler in CUPS in Apple Mac OS X 10.5 before 10.5.3, when debug logging is enabled and a printer requires a password, allows attackers to obtain sensitive information (credentials) by reading the log data, related to \"authentication environment variables.\"", "scorev2": "2.1", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:S/C:P/I:N/A:N", "status": "Ignored", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1033", "detail": "not-applicable-platform", "description": "Issue only applies to MacOS" }, { "id": "CVE-2008-1373", "summary": "Buffer overflow in the gif_read_lzw function in CUPS 1.3.6 allows remote attackers to have an unknown impact via a GIF file with a large code_size value, a similar issue to CVE-2006-4484.", "scorev2": "5.8", "scorev3": "0.0", "vector": "ADJACENT_NETWORK", "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1373" }, { "id": "CVE-2008-1374", "summary": "Integer overflow in pdftops filter in CUPS in Red Hat Enterprise Linux 3 and 4, when running on 64-bit platforms, allows remote attackers to execute arbitrary code via a crafted PDF file. NOTE: this issue is due to an incomplete fix for CVE-2004-0888.", "scorev2": "6.8", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1374" }, { "id": "CVE-2008-1722", "summary": "Multiple integer overflows in (1) filter/image-png.c and (2) filter/image-zoom.c in CUPS 1.3 allow attackers to cause a denial of service (crash) and trigger memory corruption, as demonstrated via a crafted PNG image.", "scorev2": "4.3", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-1722" }, { "id": "CVE-2008-3639", "summary": "Heap-based buffer overflow in the read_rle16 function in imagetops in CUPS before 1.3.9 allows remote attackers to execute arbitrary code via an SGI image with malformed Run Length Encoded (RLE) data containing a small image and a large row count.", "scorev2": "7.5", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3639" }, { "id": "CVE-2008-3640", "summary": "Integer overflow in the WriteProlog function in texttops in CUPS before 1.3.9 allows remote attackers to execute arbitrary code via a crafted PostScript file that triggers a heap-based buffer overflow.", "scorev2": "6.8", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3640" }, { "id": "CVE-2008-3641", "summary": "The Hewlett-Packard Graphics Language (HPGL) filter in CUPS before 1.3.9 allows remote attackers to execute arbitrary code via crafted pen width and pen color opcodes that overwrite arbitrary memory.", "scorev2": "10.0", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-3641" }, { "id": "CVE-2008-5183", "summary": "cupsd in CUPS 1.3.9 and earlier allows local users, and possibly remote attackers, to cause a denial of service (daemon crash) by adding a large number of RSS Subscriptions, which triggers a NULL pointer dereference. NOTE: this issue can be triggered remotely by leveraging CVE-2008-5184.", "scorev2": "4.3", "scorev3": "7.5", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5183" }, { "id": "CVE-2008-5184", "summary": "The web interface (cgi-bin/admin.c) in CUPS before 1.3.8 uses the guest username when a user is not logged on to the web server, which makes it easier for remote attackers to bypass intended policy and conduct CSRF attacks via the (1) add and (2) cancel RSS subscription functions.", "scorev2": "10.0", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5184" }, { "id": "CVE-2008-5286", "summary": "Integer overflow in the _cupsImageReadPNG function in CUPS 1.1.17 through 1.3.9 allows remote attackers to execute arbitrary code via a PNG image with a large height value, which bypasses a validation check and triggers a buffer overflow.", "scorev2": "7.5", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5286" }, { "id": "CVE-2008-5377", "summary": "pstopdf in CUPS 1.3.8 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/pstopdf.log temporary file, a different vulnerability than CVE-2001-1333.", "scorev2": "6.9", "scorev3": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2008-5377" }, { "id": "CVE-2009-0032", "summary": "CUPS on Mandriva Linux 2008.0, 2008.1, 2009.0, Corporate Server (CS) 3.0 and 4.0, and Multi Network Firewall (MNF) 2.0 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/pdf.log temporary file.", "scorev2": "6.9", "scorev3": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Ignored", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0032", "detail": "cpe-incorrect", "description": "Issue affects pdfdistiller plugin used with but not part of cups" }, { "id": "CVE-2009-0146", "summary": "Multiple buffer overflows in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allow remote attackers to cause a denial of service (crash) via a crafted PDF file, related to (1) JBIG2SymbolDict::setBitmap and (2) JBIG2Stream::readSymbolDictSeg.", "scorev2": "4.3", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0146" }, { "id": "CVE-2009-0147", "summary": "Multiple integer overflows in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allow remote attackers to cause a denial of service (crash) via a crafted PDF file, related to (1) JBIG2Stream::readSymbolDictSeg, (2) JBIG2Stream::readSymbolDictSeg, and (3) JBIG2Stream::readGenericBitmap.", "scorev2": "4.3", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0147" }, { "id": "CVE-2009-0163", "summary": "Integer overflow in the TIFF image decoding routines in CUPS 1.3.9 and earlier allows remote attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via a crafted TIFF image, which is not properly handled by the (1) _cupsImageReadTIFF function in the imagetops filter and (2) imagetoraster filter, leading to a heap-based buffer overflow.", "scorev2": "6.8", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0163" }, { "id": "CVE-2009-0164", "summary": "The web interface for CUPS before 1.3.10 does not validate the HTTP Host header in a client request, which makes it easier for remote attackers to conduct DNS rebinding attacks.", "scorev2": "6.4", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0164" }, { "id": "CVE-2009-0166", "summary": "The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, and other products allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers a free of uninitialized memory.", "scorev2": "4.3", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0166" }, { "id": "CVE-2009-0195", "summary": "Heap-based buffer overflow in Xpdf 3.02pl2 and earlier, CUPS 1.3.9, and probably other products, allows remote attackers to execute arbitrary code via a PDF file with crafted JBIG2 symbol dictionary segments.", "scorev2": "6.8", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0195" }, { "id": "CVE-2009-0577", "summary": "Integer overflow in the WriteProlog function in texttops in CUPS 1.1.17 on Red Hat Enterprise Linux (RHEL) 3 allows remote attackers to execute arbitrary code via a crafted PostScript file that triggers a heap-based buffer overflow. NOTE: this issue exists because of an incorrect fix for CVE-2008-3640.", "scorev2": "6.8", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0577" }, { "id": "CVE-2009-0791", "summary": "Multiple integer overflows in Xpdf 2.x and 3.x and Poppler 0.x, as used in the pdftops filter in CUPS 1.1.17, 1.1.22, and 1.3.7, GPdf, and kdegraphics KPDF, allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PDF file that triggers a heap-based buffer overflow, possibly related to (1) Decrypt.cxx, (2) FoFiTrueType.cxx, (3) gmem.c, (4) JBIG2Stream.cxx, and (5) PSOutputDev.cxx in pdftops/. NOTE: the JBIG2Stream.cxx vector may overlap CVE-2009-1179.", "scorev2": "6.8", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0791" }, { "id": "CVE-2009-0799", "summary": "The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers an out-of-bounds read.", "scorev2": "4.3", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0799" }, { "id": "CVE-2009-0800", "summary": "Multiple \"input validation flaws\" in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allow remote attackers to execute arbitrary code via a crafted PDF file.", "scorev2": "6.8", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0800" }, { "id": "CVE-2009-0949", "summary": "The ippReadIO function in cups/ipp.c in cupsd in CUPS before 1.3.10 does not properly initialize memory for IPP request packets, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a scheduler request with two consecutive IPP_TAG_UNSUPPORTED tags.", "scorev2": "5.0", "scorev3": "7.5", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-0949" }, { "id": "CVE-2009-1179", "summary": "Integer overflow in the JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to execute arbitrary code via a crafted PDF file.", "scorev2": "6.8", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1179" }, { "id": "CVE-2009-1180", "summary": "The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to execute arbitrary code via a crafted PDF file that triggers a free of invalid data.", "scorev2": "6.8", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1180" }, { "id": "CVE-2009-1181", "summary": "The JBIG2 decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to cause a denial of service (crash) via a crafted PDF file that triggers a NULL pointer dereference.", "scorev2": "4.3", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1181" }, { "id": "CVE-2009-1182", "summary": "Multiple buffer overflows in the JBIG2 MMR decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allow remote attackers to execute arbitrary code via a crafted PDF file.", "scorev2": "7.5", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1182" }, { "id": "CVE-2009-1183", "summary": "The JBIG2 MMR decoder in Xpdf 3.02pl2 and earlier, CUPS 1.3.9 and earlier, Poppler before 0.10.6, and other products allows remote attackers to cause a denial of service (infinite loop and hang) via a crafted PDF file.", "scorev2": "4.3", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1183" }, { "id": "CVE-2009-1196", "summary": "The directory-services functionality in the scheduler in CUPS 1.1.17 and 1.1.22 allows remote attackers to cause a denial of service (cupsd daemon outage or crash) via manipulations of the timing of CUPS browse packets, related to a \"pointer use-after-delete flaw.\"", "scorev2": "5.0", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-1196" }, { "id": "CVE-2009-3553", "summary": "Use-after-free vulnerability in the abstract file-descriptor handling interface in the cupsdDoSelect function in scheduler/select.c in the scheduler in cupsd in CUPS 1.3.7 and 1.3.10 allows remote attackers to cause a denial of service (daemon crash or hang) via a client disconnection during listing of a large number of print jobs, related to improperly maintaining a reference count. NOTE: some of these details are obtained from third party information.", "scorev2": "5.0", "scorev3": "7.5", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2009-3553" }, { "id": "CVE-2010-0302", "summary": "Use-after-free vulnerability in the abstract file-descriptor handling interface in the cupsdDoSelect function in scheduler/select.c in the scheduler in cupsd in CUPS before 1.4.4, when kqueue or epoll is used, allows remote attackers to cause a denial of service (daemon crash or hang) via a client disconnection during listing of a large number of print jobs, related to improperly maintaining a reference count. NOTE: some of these details are obtained from third party information. NOTE: this vulnerability exists because of an incomplete fix for CVE-2009-3553.", "scorev2": "4.3", "scorev3": "7.5", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0302" }, { "id": "CVE-2010-0393", "summary": "The _cupsGetlang function, as used by lppasswd.c in lppasswd in CUPS 1.2.2, 1.3.7, 1.3.9, and 1.4.1, relies on an environment variable to determine the file that provides localized message strings, which allows local users to gain privileges via a file that contains crafted localization data with format string specifiers.", "scorev2": "6.9", "scorev3": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0393" }, { "id": "CVE-2010-0542", "summary": "The _WriteProlog function in texttops.c in texttops in the Text Filter subsystem in CUPS before 1.4.4 does not check the return values of certain calloc calls, which allows remote attackers to cause a denial of service (NULL pointer dereference or heap memory corruption) or possibly execute arbitrary code via a crafted file.", "scorev2": "6.8", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-0542" }, { "id": "CVE-2010-1748", "summary": "The cgi_initialize_string function in cgi-bin/var.c in the web interface in CUPS before 1.4.4, as used on Apple Mac OS X 10.5.8, Mac OS X 10.6 before 10.6.4, and other platforms, does not properly handle parameter values containing a % (percent) character without two subsequent hex characters, which allows context-dependent attackers to obtain sensitive information from cupsd process memory via a crafted request, as demonstrated by the (1) /admin?OP=redirect&URL=% and (2) /admin?URL=/admin/&OP=% URIs.", "scorev2": "4.3", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-1748" }, { "id": "CVE-2010-2431", "summary": "The cupsFileOpen function in CUPS before 1.4.4 allows local users, with lp group membership, to overwrite arbitrary files via a symlink attack on the (1) /var/cache/cups/remote.cache or (2) /var/cache/cups/job.cache file.", "scorev2": "2.6", "scorev3": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:N/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2431" }, { "id": "CVE-2010-2432", "summary": "The cupsDoAuthentication function in auth.c in the client in CUPS before 1.4.4, when HAVE_GSSAPI is omitted, does not properly handle a demand for authorization, which allows remote CUPS servers to cause a denial of service (infinite loop) via HTTP_UNAUTHORIZED responses.", "scorev2": "5.0", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2432" }, { "id": "CVE-2010-2941", "summary": "ipp.c in cupsd in CUPS 1.4.4 and earlier does not properly allocate memory for attribute values with invalid string data types, which allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly execute arbitrary code via a crafted IPP request.", "scorev2": "9.3", "scorev3": "9.8", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-2941" }, { "id": "CVE-2010-3702", "summary": "The Gfx::getPos function in the PDF parser in xpdf before 3.02pl5, poppler 0.8.7 and possibly other versions up to 0.15.1, CUPS, kdegraphics, and possibly other products allows context-dependent attackers to cause a denial of service (crash) via unknown vectors that trigger an uninitialized pointer dereference.", "scorev2": "7.5", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2010-3702" }, { "id": "CVE-2011-2896", "summary": "The LZW decompressor in the LWZReadByte function in giftoppm.c in the David Koblas GIF decoder in PBMPLUS, as used in the gif_read_lzw function in filter/image-gif.c in CUPS before 1.4.7, the LZWReadByte function in plug-ins/common/file-gif-load.c in GIMP 2.6.11 and earlier, the LZWReadByte function in img/gifread.c in XPCE in SWI-Prolog 5.10.4 and earlier, and other products, does not properly handle code words that are absent from the decompression table when encountered, which allows remote attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2895.", "scorev2": "5.1", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-2896" }, { "id": "CVE-2011-3170", "summary": "The gif_read_lzw function in filter/image-gif.c in CUPS 1.4.8 and earlier does not properly handle the first code word in an LZW stream, which allows remote attackers to trigger a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted stream, a different vulnerability than CVE-2011-2896.", "scorev2": "5.1", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2011-3170" }, { "id": "CVE-2012-5519", "summary": "CUPS 1.4.4, when running in certain Linux distributions such as Debian GNU/Linux, stores the web interface administrator key in /var/run/cups/certs/0 using certain permissions, which allows local users in the lpadmin group to read or write arbitrary files as root by leveraging the web interface.", "scorev2": "7.2", "scorev3": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-5519" }, { "id": "CVE-2012-6094", "summary": "cups (Common Unix Printing System) 'Listen localhost:631' option not honored correctly which could provide unauthorized access to the system", "scorev2": "6.8", "scorev3": "9.8", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2012-6094" }, { "id": "CVE-2013-6891", "summary": "lppasswd in CUPS before 1.7.1, when running with setuid privileges, allows local users to read portions of arbitrary files via a modified HOME environment variable and a symlink attack involving .cups/client.conf.", "scorev2": "1.2", "scorev3": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2013-6891" }, { "id": "CVE-2014-2856", "summary": "Cross-site scripting (XSS) vulnerability in scheduler/client.c in Common Unix Printing System (CUPS) before 1.7.2 allows remote attackers to inject arbitrary web script or HTML via the URL path, related to the is_path_absolute function.", "scorev2": "4.3", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-2856" }, { "id": "CVE-2014-3537", "summary": "The web interface in CUPS before 1.7.4 allows local users in the lp group to read arbitrary files via a symlink attack on a file in /var/cache/cups/rss/.", "scorev2": "1.2", "scorev3": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:H/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-3537" }, { "id": "CVE-2014-5029", "summary": "The web interface in CUPS 1.7.4 allows local users in the lp group to read arbitrary files via a symlink attack on a file in /var/cache/cups/rss/ and language[0] set to null. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3537.", "scorev2": "1.5", "scorev3": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:S/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-5029" }, { "id": "CVE-2014-5030", "summary": "CUPS before 2.0 allows local users to read arbitrary files via a symlink attack on (1) index.html, (2) index.class, (3) index.pl, (4) index.php, (5) index.pyc, or (6) index.py.", "scorev2": "1.9", "scorev3": "0.0", "vector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-5030" }, { "id": "CVE-2014-5031", "summary": "The web interface in CUPS before 2.0 does not check that files have world-readable permissions, which allows remote attackers to obtains sensitive information via unspecified vectors.", "scorev2": "5.0", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-5031" }, { "id": "CVE-2014-8166", "summary": "The browsing feature in the server in CUPS does not filter ANSI escape sequences from shared printer names, which might allow remote attackers to execute arbitrary code via a crafted printer name.", "scorev2": "5.1", "scorev3": "8.8", "vector": "NETWORK", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-8166" }, { "id": "CVE-2014-9679", "summary": "Integer underflow in the cupsRasterReadPixels function in filter/raster.c in CUPS before 2.0.2 allows remote attackers to have unspecified impact via a malformed compressed raster file, which triggers a buffer overflow.", "scorev2": "6.8", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2014-9679" }, { "id": "CVE-2015-1158", "summary": "The add_job function in scheduler/ipp.c in cupsd in CUPS before 2.0.3 performs incorrect free operations for multiple-value job-originating-host-name attributes, which allows remote attackers to trigger data corruption for reference-counted strings via a crafted (1) IPP_CREATE_JOB or (2) IPP_PRINT_JOB request, as demonstrated by replacing the configuration file and consequently executing arbitrary code.", "scorev2": "10.0", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1158" }, { "id": "CVE-2015-1159", "summary": "Cross-site scripting (XSS) vulnerability in the cgi_puts function in cgi-bin/template.c in the template engine in CUPS before 2.0.3 allows remote attackers to inject arbitrary web script or HTML via the QUERY parameter to help/.", "scorev2": "4.3", "scorev3": "0.0", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2015-1159" }, { "id": "CVE-2017-18190", "summary": "A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in CUPS before 2.2.2 allows remote attackers to execute arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding. The localhost.localdomain name is often resolved via a DNS server (neither the OS nor the web browser is responsible for ensuring that localhost.localdomain is 127.0.0.1).", "scorev2": "5.0", "scorev3": "7.5", "vector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18190" }, { "id": "CVE-2017-18248", "summary": "The add_job function in scheduler/ipp.c in CUPS before 2.2.6, when D-Bus support is enabled, can be crashed by remote attackers by sending print jobs with an invalid username, related to a D-Bus notification.", "scorev2": "3.5", "scorev3": "5.3", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:S/C:N/I:N/A:P", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2017-18248" }, { "id": "CVE-2018-4300", "summary": "The session cookie generated by the CUPS web interface was easy to guess on Linux, allowing unauthorized scripted access to the web interface when the web interface is enabled. This issue affected versions prior to v2.2.10.", "scorev2": "4.3", "scorev3": "5.9", "vector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-4300" }, { "id": "CVE-2018-6553", "summary": "The CUPS AppArmor profile incorrectly confined the dnssd backend due to use of hard links. A local attacker could possibly use this issue to escape confinement. This flaw affects versions prior to 2.2.7-1ubuntu2.1 in Ubuntu 18.04 LTS, prior to 2.2.4-7ubuntu3.1 in Ubuntu 17.10, prior to 2.1.3-4ubuntu0.5 in Ubuntu 16.04 LTS, and prior to 1.7.2-0ubuntu1.10 in Ubuntu 14.04 LTS.", "scorev2": "4.6", "scorev3": "8.8", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "status": "Ignored", "link": "https://nvd.nist.gov/vuln/detail/CVE-2018-6553", "detail": "not-applicable-platform", "description": "This is an Ubuntu only issue" }, { "id": "CVE-2021-25317", "summary": "A Incorrect Default Permissions vulnerability in the packaging of cups of SUSE Linux Enterprise Server 11-SP4-LTSS, SUSE Manager Server 4.0, SUSE OpenStack Cloud Crowbar 9; openSUSE Leap 15.2, Factory allows local attackers with control of the lp users to create files as root with 0644 permissions without the ability to set the content. This issue affects: SUSE Linux Enterprise Server 11-SP4-LTSS cups versions prior to 1.3.9. SUSE Manager Server 4.0 cups versions prior to 2.2.7. SUSE OpenStack Cloud Crowbar 9 cups versions prior to 1.7.5. openSUSE Leap 15.2 cups versions prior to 2.2.7. openSUSE Factory cups version 2.3.3op2-2.1 and prior versions.", "scorev2": "2.1", "scorev3": "3.3", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "status": "Ignored", "link": "https://nvd.nist.gov/vuln/detail/CVE-2021-25317", "detail": "not-applicable-config", "description": "This concerns /var/log/cups having lp ownership, our /var/log/cups is root:root, so this doesn't apply." }, { "id": "CVE-2022-26691", "summary": "A logic issue was addressed with improved state management. This issue is fixed in Security Update 2022-003 Catalina, macOS Monterey 12.3, macOS Big Sur 11.6.5. An application may be able to gain elevated privileges.", "scorev2": "7.2", "scorev3": "6.7", "vector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2022-26691", "detail": "fixed-version", "description": "This is fixed in 2.4.2 but the cve-check class still reports it" }, { "id": "CVE-2023-32324", "summary": "OpenPrinting CUPS is an open source printing system. In versions 2.4.2 and prior, a heap buffer overflow vulnerability would allow a remote attacker to launch a denial of service (DoS) attack. A buffer overflow vulnerability in the function `format_log_line` could allow remote attackers to cause a DoS on the affected system. Exploitation of the vulnerability can be triggered when the configuration file `cupsd.conf` sets the value of `loglevel `to `DEBUG`. No known patches or workarounds exist at time of publication.", "scorev2": "0.0", "scorev3": "5.5", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-32324" }, { "id": "CVE-2023-34241", "summary": "OpenPrinting CUPS is a standards-based, open source printing system for Linux and other Unix-like operating systems. Starting in version 2.0.0 and prior to version 2.4.6, CUPS logs data of free memory to the logging service AFTER the connection has been closed, when it should have logged the data right before. This is a use-after-free bug that impacts the entire cupsd process.\n\nThe exact cause of this issue is the function `httpClose(con->http)` being called in `scheduler/client.c`. The problem is that httpClose always, provided its argument is not null, frees the pointer at the end of the call, only for cupsdLogClient to pass the pointer to httpGetHostname. This issue happens in function `cupsdAcceptClient` if LogLevel is warn or higher and in two scenarios: there is a double-lookup for the IP Address (HostNameLookups Double is set in `cupsd.conf`) which fails to resolve, or if CUPS is compiled with TCP wrappers and the connection is refused by rules from `/etc/hosts.allow` and `/etc/hosts.deny`.\n\nVersion 2.4.6 has a patch for this issue.", "scorev2": "0.0", "scorev3": "7.1", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-34241" }, { "id": "CVE-2023-4504", "summary": "Due to failure in validating the length provided by an attacker-crafted PPD PostScript document, CUPS and libppd are susceptible to a heap-based buffer overflow and possibly code execution. This issue has been fixed in CUPS version 2.4.7, released in September of 2023.\n", "scorev2": "0.0", "scorev3": "7.0", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "Patched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2023-4504" } ] } ] }