RCE in Linuxfoundation Cups-filters

CVE-2015-2265

The remove_bad_chars function in utils/cups-browsed.c in cups-filters before 1.0.66 allows remote IPP printers to execute arbitrary commands via consecutive shell metacharacters in the (1) model or (2) PDL. NOTE: this vulnerability exists…

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.058 (90.6th percentile) — read the EPSS interpretation.

Affected products

Linuxfoundation Cups-filters
Canonical Ubuntu_linux — versions 14.04, 14.10
N/a — versions n/a

Weakness classification (CWE)

CWE-77 — Command Injection

References

cve@mitre.org (x_refsource_CONFIRM, Exploit)
MDVSA-2015:196 (vendor-advisory, x_refsource_MANDRIVA)
cve@mitre.org (x_refsource_CONFIRM, Vendor Advisory)
USN-2532-1 (x_refsource_UBUNTU, vendor-advisory, Patch)
cve@mitre.org (x_refsource_CONFIRM)
openSUSE-SU-2015:1244 (vendor-advisory, x_refsource_SUSE)