CVE-2024-35235 — Link Following in Cups

CWE-59 — Link Following CWE-252 — Unchecked Return Value CWE-277 — Insecure Inherited Permissions7 documents7 sources

Severity

6.7MEDIUMNVD

CNA4.4

EPSS

3.1%

top 13.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apple Cups Openprinting Cups Debian Linux

Timeline

PublishedJun 11

Latest updateJun 24

Description

OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.8 and earlier, when starting the cupsd server with a Listen configuration item pointing to a symbolic link, the cupsd process can be caused to perform an arbitrary chmod of the provided argument, providing world-writable access to the target. Given that cupsd is often running as root, this can result in the change of permission of any user or system files to be world writable. Giv…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.8 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5openprinting/cups2.4.8

▶NVDopenprinting/cups2.4.8

▶Debianapple/cups< 2.3.3op2-3+deb11u7+3

Also affects: Debian Linux 10.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2024-35235: OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems↗2024-06-11

▶

CVEList

Cupsd Listen arbitrary chmod 0140777↗2024-06-11

▶

📋Vendor Advisories

Ubuntu

CUPS vulnerability↗2024-06-24

▶

Microsoft

Cupsd Listen arbitrary chmod 0140777↗2024-06-11

▶

Red Hat

cups: Cupsd Listen arbitrary chmod 0140777↗2024-06-11

▶

Debian

CVE-2024-35235: cups - OpenPrinting CUPS is an open source printing system for Linux and other Unix-lik...↗2024

▶