CVE-2014-8166 — Improper Input Validation in Cups

CWE-20 — Improper Input Validation6 documents6 sources

Severity

8.8HIGHNVD

EPSS

0.7%

top 29.13%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cups Debian Cups

Timeline

PublishedJan 12

Latest updateMay 13

Description

The browsing feature in the server in CUPS does not filter ANSI escape sequences from shared printer names, which might allow remote attackers to execute arbitrary code via a crafted printer name.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDcups/cups< 1.6

▶debiandebian/cups

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-fw6x-vp3m-9q59: The browsing feature in the server in CUPS does not filter ANSI escape sequences from shared printer names, which might allow remote attackers to exec↗2022-05-13

▶

OSV

CVE-2014-8166: The browsing feature in the server in CUPS does not filter ANSI escape sequences from shared printer names, which might allow remote attackers to exec↗2018-01-12

▶

📋Vendor Advisories

Red Hat

cups: code execution via unescape ANSI escape sequences↗2015-03-24

▶

Debian

CVE-2014-8166: cups - The browsing feature in the server in CUPS does not filter ANSI escape sequences...↗2014

▶

💬Community

Bugzilla

CVE-2014-8166 cups: code execution via unescape ANSI escape sequences↗2014-04-04

▶