CVE-2017-15400 (GCVE-0-2017-15400)
Vulnerability from cvelistv5 – Published: 2018-02-07 23:00 – Updated: 2024-08-05 19:57
VLAI?
Summary
Insufficient restriction of IPP filters in CUPS in Google Chrome OS prior to 62.0.3202.74 allowed a remote attacker to execute a command with the same privileges as the cups daemon via a crafted PPD file, aka a printer zeroconfig CRLF issue.
Severity ?
No CVSS data available.
CWE
- Script injection
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Google Chrome OS prior to 62.0.3202.74 |
Affected:
Google Chrome OS prior to 62.0.3202.74
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T19:57:26.090Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "DSA-4243",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4243"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-chrome-os_27.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://crbug.com/777215"
},
{
"name": "GLSA-201908-08",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201908-08"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Google Chrome OS prior to 62.0.3202.74",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Google Chrome OS prior to 62.0.3202.74"
}
]
}
],
"datePublic": "2017-10-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Insufficient restriction of IPP filters in CUPS in Google Chrome OS prior to 62.0.3202.74 allowed a remote attacker to execute a command with the same privileges as the cups daemon via a crafted PPD file, aka a printer zeroconfig CRLF issue."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Script injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-15T17:06:09",
"orgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28",
"shortName": "Chrome"
},
"references": [
{
"name": "DSA-4243",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4243"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-chrome-os_27.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://crbug.com/777215"
},
{
"name": "GLSA-201908-08",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/201908-08"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@google.com",
"ID": "CVE-2017-15400",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Google Chrome OS prior to 62.0.3202.74",
"version": {
"version_data": [
{
"version_value": "Google Chrome OS prior to 62.0.3202.74"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Insufficient restriction of IPP filters in CUPS in Google Chrome OS prior to 62.0.3202.74 allowed a remote attacker to execute a command with the same privileges as the cups daemon via a crafted PPD file, aka a printer zeroconfig CRLF issue."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Script injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "DSA-4243",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4243"
},
{
"name": "https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-chrome-os_27.html",
"refsource": "MISC",
"url": "https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-chrome-os_27.html"
},
{
"name": "https://crbug.com/777215",
"refsource": "MISC",
"url": "https://crbug.com/777215"
},
{
"name": "GLSA-201908-08",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201908-08"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ebfee0ef-53dd-4cf3-9e2a-08a5bd7a7e28",
"assignerShortName": "Chrome",
"cveId": "CVE-2017-15400",
"datePublished": "2018-02-07T23:00:00",
"dateReserved": "2017-10-17T00:00:00",
"dateUpdated": "2024-08-05T19:57:26.090Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:google:chrome_os:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"62.0.3202.74\", \"matchCriteriaId\": \"87004649-1263-4704-A4EE-B3132BFC08FD\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Insufficient restriction of IPP filters in CUPS in Google Chrome OS prior to 62.0.3202.74 allowed a remote attacker to execute a command with the same privileges as the cups daemon via a crafted PPD file, aka a printer zeroconfig CRLF issue.\"}, {\"lang\": \"es\", \"value\": \"La restricci\\u00f3n insuficiente de filtros IPP en CUPS en Google Chrome OS, en versiones anteriores a la 62.0.3202.74, permite que un atacante remoto ejecute un comando con los mismos privilegios que el demonio cups mediante un archivo PPD manipulado. Esto tambi\\u00e9n se conoce como problema CRLF zeroconfig de impresora.\"}]",
"id": "CVE-2017-15400",
"lastModified": "2024-11-21T03:14:38.320",
"metrics": "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"baseScore\": 7.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:C/I:C/A:C\", \"baseScore\": 9.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"COMPLETE\", \"integrityImpact\": \"COMPLETE\", \"availabilityImpact\": \"COMPLETE\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 8.6, \"impactScore\": 10.0, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
"published": "2018-02-07T23:29:00.937",
"references": "[{\"url\": \"https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-chrome-os_27.html\", \"source\": \"chrome-cve-admin@google.com\"}, {\"url\": \"https://crbug.com/777215\", \"source\": \"chrome-cve-admin@google.com\"}, {\"url\": \"https://security.gentoo.org/glsa/201908-08\", \"source\": \"chrome-cve-admin@google.com\"}, {\"url\": \"https://www.debian.org/security/2018/dsa-4243\", \"source\": \"chrome-cve-admin@google.com\"}, {\"url\": \"https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-chrome-os_27.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://crbug.com/777215\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://security.gentoo.org/glsa/201908-08\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.debian.org/security/2018/dsa-4243\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "chrome-cve-admin@google.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-93\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2017-15400\",\"sourceIdentifier\":\"chrome-cve-admin@google.com\",\"published\":\"2018-02-07T23:29:00.937\",\"lastModified\":\"2024-11-21T03:14:38.320\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Insufficient restriction of IPP filters in CUPS in Google Chrome OS prior to 62.0.3202.74 allowed a remote attacker to execute a command with the same privileges as the cups daemon via a crafted PPD file, aka a printer zeroconfig CRLF issue.\"},{\"lang\":\"es\",\"value\":\"La restricci\u00f3n insuficiente de filtros IPP en CUPS en Google Chrome OS, en versiones anteriores a la 62.0.3202.74, permite que un atacante remoto ejecute un comando con los mismos privilegios que el demonio cups mediante un archivo PPD manipulado. Esto tambi\u00e9n se conoce como problema CRLF zeroconfig de impresora.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:C/I:C/A:C\",\"baseScore\":9.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":8.6,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-93\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:google:chrome_os:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"62.0.3202.74\",\"matchCriteriaId\":\"87004649-1263-4704-A4EE-B3132BFC08FD\"}]}]}],\"references\":[{\"url\":\"https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-chrome-os_27.html\",\"source\":\"chrome-cve-admin@google.com\"},{\"url\":\"https://crbug.com/777215\",\"source\":\"chrome-cve-admin@google.com\"},{\"url\":\"https://security.gentoo.org/glsa/201908-08\",\"source\":\"chrome-cve-admin@google.com\"},{\"url\":\"https://www.debian.org/security/2018/dsa-4243\",\"source\":\"chrome-cve-admin@google.com\"},{\"url\":\"https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-chrome-os_27.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://crbug.com/777215\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.gentoo.org/glsa/201908-08\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.debian.org/security/2018/dsa-4243\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…