Description
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, a local unprivileged user can coerce cupsd into authenticating to an attacker-controlled localhost IPP service with a reusable Authorization: Local ... token. That token is enough to drive /admin/ requests on localhost, and the attacker can combine CUPS-Create-Local-Printer with printer-is-shared=true to persist a file:///... queue even though the normal FileDevice policy rejects such URIs. Printing to that queue gives an arbitrary root file overwrite; the PoC below uses that primitive to drop a sudoers fragment and demonstrate root command execution. At time of publication, there are no publicly available patches.
Mitigation
Minimal update. May introduce new vulnerabilities or breaking changes.
|
 rpm rhel9 | | - | - |
 debian 11 | | =2.3.3op2-3+deb11u1 || =2.3.3op2-3+deb11u10 || =2.3.3op2-3+deb11u2 || =2.3.3op2-3+deb11u3 || =2.3.3op2-3+deb11u4 || =2.3.3op2-3+deb11u5 || =2.3.3op2-3+deb11u6 || =2.3.3op2-3+deb11u7 || =2.3.3op2-3+deb11u8 || =2.3.3op2-3+deb11u9 || =2.3.3op2-4 || =2.3.3op2-5 || =2.3.3op2-6 || =2.3.3op2-7 || =2.4.10-1 || =2.4.10-2 || =2.4.10-3 || =2.4.10-4 || =2.4.14-1 || =2.4.15-1 || =2.4.16-1 || =2.4.17-1 || =2.4.18-1 || =2.4.1op1-1 || =2.4.1op1-2 || =2.4.2-1 || =2.4.2-2 || =2.4.2-3 || =2.4.2-4 || =2.4.2-5 || =2.4.2-6 || =2.4.7-1 || =2.4.7-1.1 || =2.4.7-1.2 || =2.4.7-2 || =2.4.7-3 | - |
debian 14 | | =2.4.10-3 || =2.4.10-4 || =2.4.14-1 || =2.4.15-1 || =2.4.16-1 || >=0 <2.4.17-1 | 2.4.17-1 |
rpm rhel7 | | - | - |
debian 12 | | =2.4.10-1 || =2.4.10-2 || =2.4.10-3 || =2.4.10-4 || =2.4.14-1 || =2.4.15-1 || =2.4.16-1 || =2.4.17-1 || =2.4.18-1 || =2.4.2-3 || =2.4.2-3+deb12u1 || =2.4.2-3+deb12u2 || =2.4.2-3+deb12u3 || =2.4.2-3+deb12u4 || =2.4.2-3+deb12u5 || =2.4.2-3+deb12u6 || =2.4.2-3+deb12u7 || =2.4.2-3+deb12u8 || =2.4.2-3+deb12u9 || =2.4.2-4 || =2.4.2-5 || =2.4.2-6 || =2.4.7-1 || =2.4.7-1.1 || =2.4.7-1.2 || =2.4.7-2 || =2.4.7-3 | - |
debian 13 | | =2.4.10-3 || =2.4.10-3+deb13u1 || =2.4.10-3+deb13u2 || =2.4.10-4 || =2.4.14-1 || =2.4.15-1 || =2.4.16-1 || =2.4.17-1 || =2.4.18-1 | - |
rpm rhel10 | | - | - |
rpm rhel6 | | - | - |
rpm rhel8 | | - | - |
 alpine v3.22 | | =1.4.1-r0 || =1.4.2-r0 || =1.4.2-r1 || =1.4.2-r2 || =1.4.3-r0 || =1.4.3-r1 || =1.4.3-r2 || =1.4.3-r3 || =1.4.4-r0 || =1.4.4-r1 || =1.4.5-r0 || =1.4.6-r0 || =1.4.7-r0 || =1.4.8-r0 || =1.5.0-r0 || =1.5.0-r1 || =1.5.0-r2 || =1.5.2-r0 || =1.5.2-r1 || =1.5.2-r2 || =1.5.2-r3 || =1.5.3-r0 || =1.5.4-r0 || =1.5.4-r1 || =1.6.1-r0 || =1.6.1-r1 || =1.6.2-r0 || =1.6.2-r1 || =1.6.3-r0 || =1.6.4-r0 || =1.7.0-r0 || =1.7.0-r1 || =1.7.1-r0 || =1.7.2-r0 || =1.7.3-r0 || =1.7.3-r1 || =1.7.4-r0 || =1.7.5-r0 || =2.0.0-r0 || =2.0.1-r0 || =2.0.2-r0 || =2.0.2-r1 || =2.0.2-r2 || =2.0.3-r0 || =2.0.4-r0 || =2.1.0-r0 || =2.1.1-r0 || =2.1.2-r0 || =2.1.3-r0 || =2.1.3-r1 || =2.1.4-r0 || =2.2.1-r0 || =2.2.1-r1 || =2.2.10-r0 || =2.2.11-r0 || =2.2.12-r0 || =2.2.12-r1 || =2.2.12-r2 || =2.2.2-r0 || =2.2.2-r1 || =2.2.2-r2 || =2.2.3-r0 || =2.2.3-r1 || =2.2.4-r0 || =2.2.5-r0 || =2.2.5-r1 || =2.2.6-r0 || =2.2.9-r0 || =2.3.3-r0 || =2.3.3-r1 || =2.3.3-r2 || =2.3.3-r3 || =2.3.3-r4 || =2.4.0-r0 || =2.4.1-r0 || =2.4.1-r1 || =2.4.10-r0 || =2.4.10-r1 || =2.4.11-r0 || =2.4.16-r0 || =2.4.2-r0 || =2.4.2-r1 || =2.4.2-r2 || =2.4.2-r3 || =2.4.2-r4 || =2.4.2-r5 || =2.4.2-r6 || =2.4.2-r7 || =2.4.3-r0 || =2.4.3-r1 || =2.4.4-r0 || =2.4.5-r0 || =2.4.6-r0 || =2.4.7-r0 || =2.4.7-r1 || =2.4.7-r2 || =2.4.7-r3 || =2.4.7-r4 || =2.4.8-r0 || =2.4.9-r0 || >=0 <2.4.18-r0 | 2.4.18-r0 |
