Unrated severityNVD Advisory· Published Feb 7, 2018· Updated Aug 5, 2024

CVE-2017-15400

Description

Insufficient restriction of IPP filters in CUPS in Google Chrome OS prior to 62.0.3202.74 allowed a remote attacker to execute a command with the same privileges as the cups daemon via a crafted PPD file, aka a printer zeroconfig CRLF issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A CRLF injection in CUPS IPP filters in Chrome OS allowed remote code execution via a crafted PPD file.

Vulnerability

Insufficient restriction of IPP filters in CUPS, specifically a printer zeroconfig CRLF issue, allowed a remote attacker to execute arbitrary commands with the privileges of the cups daemon. This vulnerability affects Google Chrome OS prior to version 62.0.3202.74. The attack vector involves a crafted PPD file that exploits the CRLF injection to bypass filter restrictions [1].

Exploitation

An attacker with network access can send a specially crafted PPD file to the CUPS service. By embedding CRLF sequences in the PPD file, the attacker can inject arbitrary commands into the IPP filter processing, leading to command execution. No authentication is required for this remote attack [1].

Impact

Successful exploitation allows the attacker to execute arbitrary commands with the same privileges as the cups daemon, which typically runs as root. This can result in full compromise of the affected system, including data theft, installation of malware, or further lateral movement within the network [1].

Mitigation

The vulnerability is fixed in Google Chrome OS version 62.0.3202.74. For CUPS installations on other platforms, upgrading to version 2.2.8 or later (e.g., via Gentoo's >=net-print/cups-2.2.8) is recommended. No workaround is available [1].

References

Multiple vulnerabilities (GLSA 201908-08) — Gentoo security

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Google/ChromeOSllm-fuzzy
Range: >=62.0.3202.74

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

security.gentoo.org/glsa/201908-08mitrevendor-advisoryx_refsource_GENTOO
www.debian.org/security/2018/dsa-4243mitrevendor-advisoryx_refsource_DEBIAN
chromereleases.googleblog.com/2017/10/stable-channel-update-for-chrome-os_27.htmlmitrex_refsource_MISC
crbug.com/777215mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000