CVE-2023-32324

01.06.2023, 17:15

OpenPrinting CUPS is an open source printing system. In versions 2.4.2 and prior, a heap buffer overflow vulnerability would allow a remote attacker to launch a denial of service (DoS) attack. A buffer overflow vulnerability in the function `format_log_line` could allow remote attackers to cause a DoS on the affected system. Exploitation of the vulnerability can be triggered when the configuration file `cupsd.conf` sets the value of `loglevel `to `DEBUG`. No known patches or workarounds exist at time of publication.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
GitHub_M	CNA	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 51%

Vendor	Product	Version
openprinting	cups	𝑥 ≤ 2.4.2
debian	debian_linux	10.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

cups

bullseye	2.3.3op2-3+deb11u8 fixed
bullseye (security)	2.3.3op2-3+deb11u9 fixed
bookworm	2.4.2-3+deb12u8 fixed
bookworm (security)	2.4.2-3+deb12u8 fixed
sid	2.4.10-2 fixed
trixie	2.4.10-2 fixed

Ubuntu Releases

Ubuntu Product

Codename

cups

lunar	Fixed 2.4.2-3ubuntu2.1 released
kinetic	Fixed 2.4.2-1ubuntu2.1 released
jammy	Fixed 2.4.1op1-1ubuntu4.2 released
focal	Fixed 2.3.1-9ubuntu1.3 released
bionic	Fixed 2.2.7-1ubuntu2.10 released
xenial	Fixed 2.1.3-4ubuntu0.11+esm2 released
trusty	ignored

Known Exploits!

Common Weakness Enumeration

References

https://github.com/OpenPrinting/cups/security/advisories/GHSA-cxc6-w2g7-69p7

https://lists.debian.org/debian-lts-announce/2023/06/msg00001.html

https://github.com/OpenPrinting/cups/security/advisories/GHSA-cxc6-w2g7-69p7

https://lists.debian.org/debian-lts-announce/2023/06/msg00001.html