CVE-2017-18190
HIGH7.5EPSS 0.90%cups - security update
發布日:2018/2/16修改日:2025/11/19
也稱為:ALPINE-CVE-2017-18190DEBIAN-CVE-2017-18190
描述
A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in CUPS before 2.2.2 allows remote attackers to execute arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding. The localhost.localdomain name is often resolved via a DNS server (neither the OS nor the web browser is responsible for ensuring that localhost.localdomain is 127.0.0.1).
受影響套件(4)
- Alpine/cupsfrom 0, < 2.2.2-r0
- Debian/cupsfrom 0, < 2.2.3-2
- Debian/cupsfrom 0, < 1.5.3-5+deb7u7
- Debian/cupsfrom 0, < 1.7.5-11+deb8u3
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |