CVE-2023-24805
Summary
| CVE | CVE-2023-24805 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2023-05-17 18:15:00 UTC |
|---|
| Updated | 2024-01-05 16:15:00 UTC |
|---|
| Description | cups-filters contains backends, filters, and other software required to get the cups printing service working on operating systems other than macos. If you use the Backend Error Handler (beh) to create an accessible network printer, this security vulnerability can cause remote code execution. `beh.c` contains the line `retval = system(cmdline) >> 8;` which calls the `system` command with the operand `cmdline`. `cmdline` contains multiple user controlled, unsanitized values. As a result an attacker with network access to the hosted print server can exploit this vulnerability to inject system commands which are executed in the context of the running server. This issue has been addressed in commit `8f2740357` and is expected to be bundled in the next release. Users are advised to upgrade when possible and to restrict access to network printers in the meantime. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| Merge pull request from GHSA-gpxc-v2m8-fr3x · OpenPrinting/cups-filters@8f27403 · GitHub |
MISC |
github.com |
|
| report a command inject Vulnerabilities in cups-filters · Advisory · OpenPrinting/cups-filters · GitHub |
MISC |
github.com |
|
| security.gentoo.org/glsa/202401-06 |
|
security.gentoo.org |
|
| [SECURITY] [DLA 3430-1] cups-filters security update |
MISC |
lists.debian.org |
|
| [SECURITY] Fedora 37 Update: cups-filters-1.28.16-3.fc37 - package-announce - Fedora Mailing-Lists |
MISC |
lists.fedoraproject.org |
|
| Debian -- Security Information -- DSA-5407-1 cups-filters |
MISC |
www.debian.org |
|
| [SECURITY] Fedora 38 Update: cups-filters-2.0~rc1-2.fc38 - package-announce - Fedora Mailing-Lists |
MISC |
lists.fedoraproject.org |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 160715 Oracle Enterprise Linux Security Update for cups-filters (ELSA-2023-3423)
- 160717 Oracle Enterprise Linux Security Update for cups-filters (ELSA-2023-3425)
- 181794 Debian Security Update for cups-filters (DLA 3430-1)
- 181797 Debian Security Update for cups-filters (DSA 5407-1)
- 184052 Debian Security Update for cups-filters (CVE-2023-24805)
- 199347 Ubuntu Security Notification for cups-filters Vulnerability (USN-6083-1)
- 199542 Ubuntu Security Notification for cups-filters Vulnerability (USN-6083-2)
- 241570 Red Hat Update for cups-filters (RHSA-2023:3423)
- 241578 Red Hat Update for cups-filters (RHSA-2023:3427)
- 241579 Red Hat Update for cups-filters (RHSA-2023:3424)
- 241584 Red Hat Update for cups-filters (RHSA-2023:3425)
- 241587 Red Hat Update for cups-filters (RHSA-2023:3426)
- 241601 Red Hat Update for cups-filters (RHSA-2023:3429)
- 241667 Red Hat Update for cups-filters (RHSA-2023:3428)
- 283994 Fedora Security Update for cups (FEDORA-2023-31cf6a7a1e)
- 284132 Fedora Security Update for cups (FEDORA-2023-6ca587ac4c)
- 355471 Amazon Linux Security Advisory for cups-filters : ALAS2023-2023-223
- 378594 Alibaba Cloud Linux Security Update for cups-filters (ALINUX3-SA-2023:0051)
- 503154 Alpine Linux Security Update for cups-filters
- 505997 Alpine Linux Security Update for cups-filters
- 673356 EulerOS Security Update for cups-filters (EulerOS-SA-2023-3120)
- 710823 Gentoo Linux CUPS filters Remote Code Execution Vulnerability (GLSA 202401-06)
- 754025 SUSE Enterprise Linux Security Update for cups-filters (SUSE-SU-2023:2233-1)
- 754040 SUSE Enterprise Linux Security Update for cups-filters, poppler, texlive (SUSE-SU-2023:2287-1)
- 941130 AlmaLinux Security Update for cups-filters (ALSA-2023:3425)
- 941133 AlmaLinux Security Update for cups-filters (ALSA-2023:3423)
