Unrated severityNVD Advisory· Published Feb 16, 2018· Updated Aug 5, 2024
CVE-2017-18190
CVE-2017-18190
Description
A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in CUPS before 2.2.2 allows remote attackers to execute arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding. The localhost.localdomain name is often resolved via a DNS server (neither the OS nor the web browser is responsible for ensuring that localhost.localdomain is 127.0.0.1).
Affected products
13- osv-coords13 versionspkg:rpm/suse/cups&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP2pkg:rpm/suse/cups&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/cups&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSSpkg:rpm/suse/cups&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2pkg:rpm/suse/cups&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/cups&distro=SUSE%20Linux%20Enterprise%20Server%2012-LTSSpkg:rpm/suse/cups&distro=SUSE%20Linux%20Enterprise%20Server%20for%20Raspberry%20Pi%2012%20SP2pkg:rpm/suse/cups&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/cups&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/cups&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/cups&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP2pkg:rpm/suse/cups&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3pkg:rpm/suse/cups&distro=SUSE%20OpenStack%20Cloud%206
< 1.7.5-20.3.1+ 12 more
- (no CPE)range: < 1.7.5-20.3.1
- (no CPE)range: < 1.7.5-20.3.1
- (no CPE)range: < 1.7.5-20.3.1
- (no CPE)range: < 1.7.5-20.3.1
- (no CPE)range: < 1.7.5-20.3.1
- (no CPE)range: < 1.7.5-20.3.1
- (no CPE)range: < 1.7.5-20.3.1
- (no CPE)range: < 1.7.5-20.3.1
- (no CPE)range: < 1.7.5-20.3.1
- (no CPE)range: < 1.7.5-20.3.1
- (no CPE)range: < 1.7.5-20.3.1
- (no CPE)range: < 1.7.5-20.3.1
- (no CPE)range: < 1.7.5-20.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- usn.ubuntu.com/3577-1/mitrevendor-advisoryx_refsource_UBUNTU
- bugs.chromium.org/p/project-zero/issues/detailmitrex_refsource_MISC
- github.com/apple/cups/commit/afa80cb2b457bf8d64f775bed307588610476c41mitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2018/02/msg00023.htmlmitremailing-listx_refsource_MLIST
- lists.debian.org/debian-lts-announce/2018/07/msg00003.htmlmitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.