CVE-2015-8327 — Command Injection in Cups-filters

CWE-77 — Command Injection10 documents8 sources

Severity

7.5HIGHNVD

EPSS

20.7%

top 4.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Foomatic-filters Linuxfoundation Cups-filters Canonical Ubuntu Linux +7 more

Timeline

PublishedDec 17

Latest updateMay 14

Description

Incomplete blacklist vulnerability in util.c in foomatic-rip in cups-filters 1.0.42 before 1.2.0 and in foomatic-filters in Foomatic 4.0.x allows remote attackers to execute arbitrary commands via ` (backtick) characters in a print job.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages8 packages

▶Debianfoomatic-filters/foomatic-filters< 4.0.17-7+3

▶NVDlinuxfoundation/foomatic-filters18 versions+17

▶Debianlinuxfoundation/cups-filters< 1.2.0-1+3

▶NVDlinuxfoundation/cups-filters36 versions+35

▶NVDredhat/enterprise_linux_server6.0

Also affects: Debian Linux 8.0, Ubuntu Linux 12.04, 14.04, 15.04, 15.10, Enterprise Linux 6.7.z

🔴Vulnerability Details

GHSA

GHSA-cfgh-jg4g-q29h: Incomplete blacklist vulnerability in util↗2022-05-14

▶

CVEList

CVE-2015-8327: Incomplete blacklist vulnerability in util↗2015-12-17

▶

OSV

CVE-2015-8327: Incomplete blacklist vulnerability in util↗2015-12-17

▶

📋Vendor Advisories

Red Hat

cups-filters: foomatic-rip did not consider semicolon as illegal shell escape character↗2015-12-12

▶

Ubuntu

cups-filters vulnerability↗2015-12-07

▶

Ubuntu

foomatic-filters vulnerability↗2015-12-07

▶

Red Hat

cups-filters: foomatic-rip did not consider the back tick as an illegal shell escape character↗2015-11-26

▶

Debian

CVE-2015-8327: cups-filters - Incomplete blacklist vulnerability in util.c in foomatic-rip in cups-filters 1.0...↗2015

▶

💬Community

Bugzilla

CVE-2015-8327 cups-filters: foomatic-rip did not consider the back tick as an illegal shell escape character↗2015-12-02

▶