#VU50402 Out-of-bounds read in CUPS - CVE-2020-10001


| Updated: 2022-05-26

Vulnerability identifier: #VU50402

Vulnerability risk: Medium

CVSSv4.0: 6.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-10001

CWE-ID: CWE-125

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
CUPS
Server applications / Other server solutions

Vendor: Apple Inc.

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition within the ippReadIO() function in CUPS. A remote attacker can send specially crafted data to the affected application, trigger an out-of-bounds read error and read contents of memory on the system or crash the service.

Mitigation
Install update from vendor's website.

Vulnerable software versions

CUPS: 2.0.0 - 2.3.3

External links
https://security.archlinux.org/advisory/ASA-202102-13

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Juniper Secure Analytics (JSA)
Multiple vulnerabilities in IBM QRadar SIEM
Ubuntu update for cups
Ubuntu update for cups
Red Hat Enterprise Linux 8 update for cups
openEuler update for cups
Arch Linux update for cups
Information disclosure in Apple CUPS
Fedora 32 update for cups
Fedora 33 update for cups