CVE-2023-4504 — Heap-based Buffer Overflow in Cups

CWE-122 — Heap-based Buffer Overflow CWE-787 — Out-of-bounds Write10 documents8 sources

Severity

7.0HIGHNVD

EPSS

0.0%

top 89.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openprinting Cups Openprinting Libppd Apple Cups +2 more

Timeline

PublishedSep 21

Latest updateSep 16

Description

Due to failure in validating the length provided by an attacker-crafted PPD PostScript document, CUPS and libppd are susceptible to a heap-based buffer overflow and possibly code execution. This issue has been fixed in CUPS version 2.4.7, released in September of 2023.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.0 | Impact: 5.9

Affected Packages5 packages

▶CVEListV5openprinting/cups< 2.4.6

▶NVDopenprinting/cups< 2.4.7

▶Debianapple/cups< 2.3.3op2-3+deb11u4+3

▶CVEListV5openprinting/libppd< d09348b

▶NVDopenprinting/libppd2.0

Also affects: Debian Linux 10.0, Fedora 37, 38, 39

🔴Vulnerability Details

OSV

CVE-2023-4504: Due to failure in validating the length provided by an attacker-crafted PPD PostScript document, CUPS and libppd are susceptible to a heap-based buffe↗2023-09-21

▶

CVEList

OpenPrinting CUPS/libppd Postscript Parsing Heap Overflow↗2023-09-21

▶

📋Vendor Advisories

Apple

CVE-2023-4504: macOS Sequoia 15↗2024-09-16

▶

Ubuntu

CUPS vulnerability↗2023-09-21

▶

Red Hat

libppd: Postscript Parsing Heap Overflow↗2023-09-20

▶

Ubuntu

libppd vulnerability↗2023-09-20

▶

Ubuntu

CUPS vulnerability↗2023-09-20

▶