CVE-2017-18190

A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in CUPS before 2.2.2 allows remote attackers to execute arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding. The localhost.localdomain name is often resolved via a DNS server (neither the OS nor the web browser is responsible for ensuring that localhost.localdomain is 127.0.0.1).
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 72%
Affected Products (NVD)
VendorProductVersion
applecups
𝑥
< 2.2.2
debiandebian_linux
7.0
debiandebian_linux
8.0
canonicalubuntu_linux
14.04
canonicalubuntu_linux
16.04
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
cups
bookworm
2.4.2-3+deb12u7
fixed
bookworm (security)
2.4.2-3+deb12u8
fixed
bullseye
2.3.3op2-3+deb11u8
fixed
bullseye (security)
2.3.3op2-3+deb11u9
fixed
sid
2.4.10-2
fixed
trixie
2.4.10-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
cups
artful
not-affected
trusty
Fixed 1.7.2-0ubuntu1.9
released
xenial
Fixed 2.1.3-4ubuntu0.4
released
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
cups
suse enterprise sap 12 SP2
1.7.5-20.3.1
fixed
suse enterprise sap 12 SP3
1.7.5-20.3.1
fixed
suse enterprise sap 12 SP5
1.7.5-20.23.1
fixed
suse enterprise server 12
1.7.5-20.3.1
fixed
suse enterprise server 12 SP1
1.7.5-20.3.1
fixed
suse enterprise server 12 SP2
1.7.5-20.3.1
fixed
suse enterprise server 12 SP3
1.7.5-20.3.1
fixed
suse enterprise server 12 SP5
1.7.5-20.23.1
fixed
cups-client
suse enterprise sap 12 SP2
1.7.5-20.3.1
fixed
suse enterprise sap 12 SP3
1.7.5-20.3.1
fixed
suse enterprise sap 12 SP5
1.7.5-20.23.1
fixed
suse enterprise server 12
1.7.5-20.3.1
fixed
suse enterprise server 12 SP1
1.7.5-20.3.1
fixed
suse enterprise server 12 SP2
1.7.5-20.3.1
fixed
suse enterprise server 12 SP3
1.7.5-20.3.1
fixed
suse enterprise server 12 SP5
1.7.5-20.23.1
fixed
cups-libs
suse enterprise sap 12 SP2
1.7.5-20.3.1
fixed
suse enterprise sap 12 SP3
1.7.5-20.3.1
fixed
suse enterprise sap 12 SP5
1.7.5-20.23.1
fixed
suse enterprise server 12
1.7.5-20.3.1
fixed
suse enterprise server 12 SP1
1.7.5-20.3.1
fixed
suse enterprise server 12 SP2
1.7.5-20.3.1
fixed
suse enterprise server 12 SP3
1.7.5-20.3.1
fixed
suse enterprise server 12 SP5
1.7.5-20.23.1
fixed
cups-libs-32bit
suse enterprise sap 12 SP2
1.7.5-20.3.1
fixed
suse enterprise sap 12 SP3
1.7.5-20.3.1
fixed
suse enterprise sap 12 SP5
1.7.5-20.23.1
fixed
suse enterprise server 12
1.7.5-20.3.1
fixed
suse enterprise server 12 SP1
1.7.5-20.3.1
fixed
suse enterprise server 12 SP2
1.7.5-20.3.1
fixed
suse enterprise server 12 SP3
1.7.5-20.3.1
fixed
suse enterprise server 12 SP5
1.7.5-20.23.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
cups
RHEL 7
1:1.6.3-51.el7
fixed
cups-client
RHEL 7
1:1.6.3-51.el7
fixed
cups-devel
RHEL 7
1:1.6.3-51.el7
fixed
cups-filesystem
RHEL 7
1:1.6.3-51.el7
fixed
cups-ipptool
RHEL 7
1:1.6.3-51.el7
fixed
cups-libs
RHEL 7
1:1.6.3-51.el7
fixed
cups-lpd
RHEL 7
1:1.6.3-51.el7
fixed
Common Weakness Enumeration
References
https://bugs.chromium.org/p/project-zero/issues/detail?id=1048
https://github.com/apple/cups/commit/afa80cb2b457bf8d64f775bed307588610476c41
https://lists.debian.org/debian-lts-announce/2018/02/msg00023.html
https://lists.debian.org/debian-lts-announce/2018/07/msg00003.html
https://usn.ubuntu.com/3577-1/
https://bugs.chromium.org/p/project-zero/issues/detail?id=1048
https://github.com/apple/cups/commit/afa80cb2b457bf8d64f775bed307588610476c41
https://lists.debian.org/debian-lts-announce/2018/02/msg00023.html
https://lists.debian.org/debian-lts-announce/2018/07/msg00003.html
https://usn.ubuntu.com/3577-1/