CVE-2023-24805OS Command Injection in Cups-filters

CWE-78OS Command InjectionCWE-94Code Injection7 documents6 sources
Severity
8.8HIGHNVD
EPSS
8.9%
top 7.40%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Linuxfoundation Cups-filtersOpenprinting Cups-filtersDebian Linux+1 more
Timeline
PublishedMay 17
Latest updateJun 19

Description

cups-filters contains backends, filters, and other software required to get the cups printing service working on operating systems other than macos. If you use the Backend Error Handler (beh) to create an accessible network printer, this security vulnerability can cause remote code execution. `beh.c` contains the line `retval = system(cmdline) >> 8;` which calls the `system` command with the operand `cmdline`. `cmdline` contains multiple user controlled, unsanitized values. As a result an attack

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

CVEListV5openprinting/cups-filters2.0rc1
Debianlinuxfoundation/cups-filters< 1.28.7-1+deb11u2+3

Also affects: Debian Linux 10.0, 11.0, Fedora 37, 38

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

2
CVEList
Command injection in cups-filters2023-05-17
OSV
CVE-2023-24805: cups-filters contains backends, filters, and other software required to get the cups printing service working on operating systems other than macos2023-05-17

📋Vendor Advisories

4
Ubuntu
cups-filters vulnerability2023-06-19
Red Hat
cups-filters: remote code execution in cups-filters, beh CUPS backend2023-05-17
Ubuntu
cups-filters vulnerability2023-05-17
Debian
CVE-2023-24805: cups-filters - cups-filters contains backends, filters, and other software required to get the ...2023
CVE-2023-24805 — OS Command Injection in Cups-filters | cvebase