CVE-2024-35235

EUVD-2024-35252
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.8 and earlier, when starting the cupsd server with a Listen configuration item pointing to a symbolic link, the cupsd process can be caused to perform an arbitrary chmod of the provided argument, providing world-writable access to the target. Given that cupsd is often running as root, this can result in the change of permission of any user or system files to be world writable. Given the aforementioned Ubuntu AppArmor context, on such systems this vulnerability is limited to those files modifiable by the cupsd process. In that specific case it was found to be possible to turn the configuration of the Listen argument into full control over the cupsd.conf and cups-files.conf configuration files. By later setting the User and Group arguments in cups-files.conf, and printing with a printer configured by PPD with a `FoomaticRIPCommandLine` argument, arbitrary user and group (not root) command execution could be achieved, which can further be used on Ubuntu systems to achieve full root command execution. Commit ff1f8a623e090dee8a8aadf12a6a4b25efac143d contains a patch for the issue.
Link Following
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.4 MEDIUM
LOCAL
LOW
HIGH
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 87%
Affected Products (NVD)
VendorProductVersion
openprintingcups
𝑥
≤ 2.4.8
debiandebian_linux
10.0
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
openprintingcups
𝑥
≤ 2.4.8
ADP
Debian logo
Debian Releases
Debian Product
Codename
cups
bookworm
2.4.2-3+deb12u8
fixed
bookworm (security)
2.4.2-3+deb12u9
fixed
bullseye
2.3.3op2-3+deb11u8
fixed
bullseye (security)
2.3.3op2-3+deb11u10
fixed
forky
2.4.16-1
fixed
sid
2.4.16-1
fixed
trixie
2.4.10-3+deb13u2
fixed
trixie (security)
2.4.10-3+deb13u1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
cups
bionic
Fixed 2.2.7-1ubuntu2.10+esm4
released
focal
Fixed 2.3.1-9ubuntu1.7
released
jammy
Fixed 2.4.1op1-1ubuntu4.9
released
mantic
Fixed 2.4.6-0ubuntu3.1
released
noble
Fixed 2.4.7-1.2ubuntu7.1
released
xenial
Fixed 2.1.3-4ubuntu0.11+esm6
released
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
cups
suse enterprise desktop 15 SP5
2.2.7-150000.3.59.1
fixed
suse enterprise desktop 15 SP6
2.2.7-150000.3.59.1
fixed
suse enterprise desktop 15 SP7
2.2.7-150000.3.59.1
fixed
suse enterprise sap 12 SP5
1.7.5-20.49.1
fixed
suse enterprise sap 15 SP2
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP3
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP4
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP5
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP6
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP7
2.2.7-150000.3.59.1
fixed
suse enterprise server 12 SP3
1.7.5-20.49.1
fixed
suse enterprise server 12 SP5
1.7.5-20.49.1
fixed
suse enterprise server 15 SP2
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP3
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP4
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP5
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP6
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP7
2.2.7-150000.3.59.1
fixed
cups-client
suse enterprise desktop 15 SP5
2.2.7-150000.3.59.1
fixed
suse enterprise desktop 15 SP6
2.2.7-150000.3.59.1
fixed
suse enterprise desktop 15 SP7
2.2.7-150000.3.59.1
fixed
suse enterprise sap 12 SP5
1.7.5-20.49.1
fixed
suse enterprise sap 15 SP2
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP3
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP4
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP5
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP6
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP7
2.2.7-150000.3.59.1
fixed
suse enterprise server 12 SP3
1.7.5-20.49.1
fixed
suse enterprise server 12 SP5
1.7.5-20.49.1
fixed
suse enterprise server 15 SP2
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP3
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP4
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP5
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP6
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP7
2.2.7-150000.3.59.1
fixed
cups-config
suse enterprise desktop 15 SP5
2.2.7-150000.3.59.1
fixed
suse enterprise desktop 15 SP6
2.2.7-150000.3.59.1
fixed
suse enterprise desktop 15 SP7
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP2
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP3
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP4
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP5
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP6
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP7
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP2
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP3
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP4
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP5
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP6
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP7
2.2.7-150000.3.59.1
fixed
cups-ddk
suse enterprise sap 15 SP2
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP3
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP4
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP2
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP3
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP4
2.2.7-150000.3.59.1
fixed
cups-devel
suse enterprise desktop 15 SP5
2.2.7-150000.3.59.1
fixed
suse enterprise desktop 15 SP6
2.2.7-150000.3.59.1
fixed
suse enterprise desktop 15 SP7
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP2
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP3
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP4
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP5
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP6
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP7
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP2
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP3
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP4
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP5
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP6
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP7
2.2.7-150000.3.59.1
fixed
cups-libs
suse enterprise sap 12 SP5
1.7.5-20.49.1
fixed
suse enterprise server 12 SP3
1.7.5-20.49.1
fixed
suse enterprise server 12 SP5
1.7.5-20.49.1
fixed
cups-libs-32bit
suse enterprise sap 12 SP5
1.7.5-20.49.1
fixed
suse enterprise server 12 SP3
1.7.5-20.49.1
fixed
suse enterprise server 12 SP5
1.7.5-20.49.1
fixed
libcups2
suse enterprise desktop 15 SP5
2.2.7-150000.3.59.1
fixed
suse enterprise desktop 15 SP6
2.2.7-150000.3.59.1
fixed
suse enterprise desktop 15 SP7
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP2
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP3
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP4
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP5
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP6
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP7
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP2
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP3
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP4
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP5
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP6
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP7
2.2.7-150000.3.59.1
fixed
libcups2-32bit
suse enterprise sap 15 SP2
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP3
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP4
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP2
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP3
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP4
2.2.7-150000.3.59.1
fixed
libcupscgi1
suse enterprise desktop 15 SP5
2.2.7-150000.3.59.1
fixed
suse enterprise desktop 15 SP6
2.2.7-150000.3.59.1
fixed
suse enterprise desktop 15 SP7
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP2
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP3
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP4
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP5
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP6
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP7
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP2
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP3
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP4
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP5
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP6
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP7
2.2.7-150000.3.59.1
fixed
libcupsimage2
suse enterprise desktop 15 SP5
2.2.7-150000.3.59.1
fixed
suse enterprise desktop 15 SP6
2.2.7-150000.3.59.1
fixed
suse enterprise desktop 15 SP7
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP2
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP3
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP4
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP5
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP6
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP7
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP2
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP3
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP4
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP5
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP6
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP7
2.2.7-150000.3.59.1
fixed
libcupsmime1
suse enterprise desktop 15 SP5
2.2.7-150000.3.59.1
fixed
suse enterprise desktop 15 SP6
2.2.7-150000.3.59.1
fixed
suse enterprise desktop 15 SP7
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP2
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP3
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP4
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP5
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP6
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP7
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP2
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP3
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP4
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP5
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP6
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP7
2.2.7-150000.3.59.1
fixed
libcupsppdc1
suse enterprise desktop 15 SP5
2.2.7-150000.3.59.1
fixed
suse enterprise desktop 15 SP6
2.2.7-150000.3.59.1
fixed
suse enterprise desktop 15 SP7
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP2
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP3
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP4
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP5
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP6
2.2.7-150000.3.59.1
fixed
suse enterprise sap 15 SP7
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP2
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP3
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP4
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP5
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP6
2.2.7-150000.3.59.1
fixed
suse enterprise server 15 SP7
2.2.7-150000.3.59.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
cups
RHEL 8
1:2.2.6-60.el8_10
fixed
RHEL 8.6 AUS
1:2.2.6-45.el8_6.5
fixed
RHEL 8.6 E4S
1:2.2.6-45.el8_6.5
fixed
RHEL 8.6 TUS
1:2.2.6-45.el8_6.5
fixed
RHEL 8.8 AUS
1:2.2.6-51.el8_8.4
fixed
RHEL 8.8 E4S
1:2.2.6-51.el8_8.4
fixed
RHEL 8.8 EUS
1:2.2.6-51.el8_8.4
fixed
RHEL 8.8 TUS
1:2.2.6-51.el8_8.4
fixed
RHEL 9
1:2.3.3op2-27.el9_4
fixed
cups-client
RHEL 8
1:2.2.6-60.el8_10
fixed
RHEL 8.6 AUS
1:2.2.6-45.el8_6.5
fixed
RHEL 8.6 E4S
1:2.2.6-45.el8_6.5
fixed
RHEL 8.6 TUS
1:2.2.6-45.el8_6.5
fixed
RHEL 8.8 AUS
1:2.2.6-51.el8_8.4
fixed
RHEL 8.8 E4S
1:2.2.6-51.el8_8.4
fixed
RHEL 8.8 EUS
1:2.2.6-51.el8_8.4
fixed
RHEL 8.8 TUS
1:2.2.6-51.el8_8.4
fixed
RHEL 9
1:2.3.3op2-27.el9_4
fixed
cups-devel
RHEL 8
1:2.2.6-60.el8_10
fixed
RHEL 8.6 AUS
1:2.2.6-45.el8_6.5
fixed
RHEL 8.6 E4S
1:2.2.6-45.el8_6.5
fixed
RHEL 8.6 TUS
1:2.2.6-45.el8_6.5
fixed
RHEL 8.8 AUS
1:2.2.6-51.el8_8.4
fixed
RHEL 8.8 E4S
1:2.2.6-51.el8_8.4
fixed
RHEL 8.8 EUS
1:2.2.6-51.el8_8.4
fixed
RHEL 8.8 TUS
1:2.2.6-51.el8_8.4
fixed
RHEL 9
1:2.3.3op2-27.el9_4
fixed
cups-filesystem
RHEL 8
1:2.2.6-60.el8_10
fixed
RHEL 8.6 AUS
1:2.2.6-45.el8_6.5
fixed
RHEL 8.6 E4S
1:2.2.6-45.el8_6.5
fixed
RHEL 8.6 TUS
1:2.2.6-45.el8_6.5
fixed
RHEL 8.8 AUS
1:2.2.6-51.el8_8.4
fixed
RHEL 8.8 E4S
1:2.2.6-51.el8_8.4
fixed
RHEL 8.8 EUS
1:2.2.6-51.el8_8.4
fixed
RHEL 8.8 TUS
1:2.2.6-51.el8_8.4
fixed
RHEL 9
1:2.3.3op2-27.el9_4
fixed
cups-ipptool
RHEL 8
1:2.2.6-60.el8_10
fixed
RHEL 8.6 AUS
1:2.2.6-45.el8_6.5
fixed
RHEL 8.6 E4S
1:2.2.6-45.el8_6.5
fixed
RHEL 8.6 TUS
1:2.2.6-45.el8_6.5
fixed
RHEL 8.8 AUS
1:2.2.6-51.el8_8.4
fixed
RHEL 8.8 E4S
1:2.2.6-51.el8_8.4
fixed
RHEL 8.8 EUS
1:2.2.6-51.el8_8.4
fixed
RHEL 8.8 TUS
1:2.2.6-51.el8_8.4
fixed
RHEL 9
1:2.3.3op2-27.el9_4
fixed
cups-libs
RHEL 8
1:2.2.6-60.el8_10
fixed
RHEL 8.6 AUS
1:2.2.6-45.el8_6.5
fixed
RHEL 8.6 E4S
1:2.2.6-45.el8_6.5
fixed
RHEL 8.6 TUS
1:2.2.6-45.el8_6.5
fixed
RHEL 8.8 AUS
1:2.2.6-51.el8_8.4
fixed
RHEL 8.8 E4S
1:2.2.6-51.el8_8.4
fixed
RHEL 8.8 EUS
1:2.2.6-51.el8_8.4
fixed
RHEL 8.8 TUS
1:2.2.6-51.el8_8.4
fixed
RHEL 9
1:2.3.3op2-27.el9_4
fixed
cups-lpd
RHEL 8
1:2.2.6-60.el8_10
fixed
RHEL 8.6 AUS
1:2.2.6-45.el8_6.5
fixed
RHEL 8.6 E4S
1:2.2.6-45.el8_6.5
fixed
RHEL 8.6 TUS
1:2.2.6-45.el8_6.5
fixed
RHEL 8.8 AUS
1:2.2.6-51.el8_8.4
fixed
RHEL 8.8 E4S
1:2.2.6-51.el8_8.4
fixed
RHEL 8.8 EUS
1:2.2.6-51.el8_8.4
fixed
RHEL 8.8 TUS
1:2.2.6-51.el8_8.4
fixed
RHEL 9
1:2.3.3op2-27.el9_4
fixed
cups-printerapp
RHEL 9
1:2.3.3op2-27.el9_4
fixed
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2024/06/11/1
http://www.openwall.com/lists/oss-security/2024/06/12/4
http://www.openwall.com/lists/oss-security/2024/06/12/5
https://git.launchpad.net/ubuntu/+source/apparmor/tree/profiles/apparmor.d/abstractions/user-tmp#n21
https://github.com/OpenPrinting/cups/blob/aba917003c8de55e5bf85010f0ecf1f1ddd1408e/cups/http-addr.c#L229-L240
https://github.com/OpenPrinting/cups/commit/ff1f8a623e090dee8a8aadf12a6a4b25efac143d
https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f
https://lists.debian.org/debian-lts-announce/2024/06/msg00001.html
http://www.openwall.com/lists/oss-security/2024/06/11/1
http://www.openwall.com/lists/oss-security/2024/06/12/4
http://www.openwall.com/lists/oss-security/2024/06/12/5
http://www.openwall.com/lists/oss-security/2024/11/08/3
https://git.launchpad.net/ubuntu/+source/apparmor/tree/profiles/apparmor.d/abstractions/user-tmp#n21
https://github.com/OpenPrinting/cups/blob/aba917003c8de55e5bf85010f0ecf1f1ddd1408e/cups/http-addr.c#L229-L240
https://github.com/OpenPrinting/cups/commit/ff1f8a623e090dee8a8aadf12a6a4b25efac143d
https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f
https://lists.debian.org/debian-lts-announce/2024/06/msg00001.html