CVE-2023-4504

Summary

CVE	CVE-2023-4504
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2023-09-21 23:15:00 UTC
Updated	2023-11-09 20:58:00 UTC
Description	Due to failure in validating the length provided by an attacker-crafted PPD PostScript document, CUPS and libppd are susceptible to a heap-based buffer overflow and possibly code execution. This issue has been fixed in CUPS version 2.4.7, released in September of 2023.

Risk And Classification

Problem Types: CWE-787

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Fedoraproject	Fedora	37	All	All	All
Operating System	Fedoraproject	Fedora	38	All	All	All
Operating System	Fedoraproject	Fedora	39	All	All	All
Application	Openprinting	Cups	All	All	All	All
Application	Openprinting	Libppd	2.0	rc2	All	All

References

Reference	Source	Link	Tags
[SECURITY] Fedora 39 Update: libppd-2.0~rc2-4.fc39 - package-announce - Fedora Mailing-Lists	MISC	lists.fedoraproject.org
CUPS Heap-based buffer overflow · Advisory · OpenPrinting/cups · GitHub	MISC	github.com
[SECURITY] Fedora 37 Update: cups-2.4.7-1.fc37 - package-announce - Fedora Mailing-Lists	MISC	lists.fedoraproject.org
[SECURITY] Fedora 39 Update: cups-2.4.7-1.fc39 - package-announce - Fedora Mailing-Lists	MISC	lists.fedoraproject.org
CUPS Heap-based buffer overflow · Advisory · OpenPrinting/libppd · GitHub	MISC	github.com
[SECURITY] Fedora 38 Update: cups-2.4.7-1.fc38 - package-announce - Fedora Mailing-Lists	MISC	lists.fedoraproject.org
[SECURITY] [DLA 3594-1] cups security update	MISC	lists.debian.org
[SECURITY] Fedora 38 Update: libppd-2.0~rc2-4.fc38 - package-announce - Fedora Mailing-Lists	MISC	lists.fedoraproject.org
Release v2.4.7 · OpenPrinting/cups · GitHub	MISC	github.com
cve-template • Austin Hackers Academy	MISC	takeonme.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

199773 Ubuntu Security Notification for libppd Vulnerability (USN-6392-1)
199774 Ubuntu Security Notification for CUPS Vulnerability (USN-6391-1)
199776 Ubuntu Security Notification for CUPS Vulnerability (USN-6391-2)
284543 Fedora Security Update for cups (FEDORA-2023-96519dc6fd)
284544 Fedora Security Update for libppd (FEDORA-2023-00484b4120)
284591 Fedora Security Update for cups (FEDORA-2023-904f92af98)
285246 Fedora Security Update for cups (FEDORA-2023-351208aa08)
285249 Fedora Security Update for libppd (FEDORA-2023-52aa3d1a4f)
356383 Amazon Linux Security Advisory for cups : ALAS2023-2023-361
356433 Amazon Linux Security Advisory for cups : ALAS2-2023-2293
356451 Amazon Linux Security Advisory for cups : ALAS-2023-1857
356986 Amazon Linux Security Advisory for cups : AL2012-2023-470
503324 Alpine Linux Security Update for cups
505860 Alpine Linux Security Update for cups
6000163 Debian Security Update for cups (DLA 3594-1)
673342 EulerOS Security Update for cups (EulerOS-SA-2023-3238)
673361 EulerOS Security Update for cups (EulerOS-SA-2024-1135)
673427 EulerOS Security Update for cups (EulerOS-SA-2023-3325)
673439 EulerOS Security Update for cups (EulerOS-SA-2023-3293)
673641 EulerOS Security Update for cups (EulerOS-SA-2023-3266)
673679 EulerOS Security Update for cups (EulerOS-SA-2023-3168)
673878 EulerOS Security Update for cups (EulerOS-SA-2023-3203)
674015 EulerOS Security Update for cups (EulerOS-SA-2024-1259)
710864 Gentoo Linux CUPS Multiple Vulnerabilities (GLSA 202402-17)
754891 SUSE Enterprise Linux Security Update for cups (SUSE-SU-2023:3707-1)
754892 SUSE Enterprise Linux Security Update for cups (SUSE-SU-2023:3706-1)