CVE-2018-4180
It was discovered that CUPS allows non-root users to pass environment variables to CUPS backends. Affected backends use attacker-controlled environment variables without proper sanitization. A local attacker, who is part of one of the groups specified in the SystemGroups directive, could use the cupsctl binary to set SetEnv and PassEnv directives and potentially controls the flow of the affected backend, resulting in some cases in arbitrary code execution with root privileges.
Find out more about CVE-2018-4180 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS v3 metrics
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
| CVSS3 Base Score | 6.7 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| Attack Vector | Local |
| Attack Complexity | Low |
| Privileges Required | High |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity Impact | High |
| Availability Impact | High |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Virtualization 4 | cups | Not affected |
| Red Hat Enterprise Linux 7 | cups | Affected |
| Red Hat Enterprise Linux 6 | cups | Will not fix |
| Red Hat Enterprise Linux 5 | cups | Will not fix |
Mitigation
Do not add untrusted users to sys and root groups.