CVE-2023-34095

cpdb-libs vulnerable to buffer overflows via scanf

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

cpdb-libs provides frontend and backend libraries for the Common Printing Dialog Backends (CPDB) project. In versions 1.0 through 2.0b4, cpdb-libs is vulnerable to buffer overflows via improper use of `scanf(3)`. cpdb-libs uses the `fscanf()` and `scanf()` functions to parse command lines and configuration files, dropping the read string components into fixed-length buffers, but does not limit the length of the strings to be read by `fscanf()` and `scanf()` causing buffer overflows when a string is longer than 1023 characters. A patch for this issue is available at commit f181bd1f14757c2ae0f17cc76dc20421a40f30b7. As all buffers have a length of 1024 characters, the patch limits the maximum string length to be read to 1023 by replacing all occurrences of `%s` with `%1023s` in all calls of the `fscanf()` and `scanf()` functions.

Seth Arnold discovered that CPDB incorrectly handled certain characters. An attacker could possibly use this issue to cause a crash or execute arbitrary code.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Yes

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2023-05-25 CVE Reserved
2023-06-14 CVE Published
2025-02-13 CVE Updated
2025-02-13 First Exploit
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-121: Stack-based Buffer Overflow

CAPEC

References (6)

URL	Tag	Source
https://github.com/OpenPrinting/cpdb-libs/blob/85555fba64d34f53a2fce099b0488904cc48ed35/cpdb/cpdb-frontend.c#L372	Product
https://github.com/OpenPrinting/cpdb-libs/blob/85555fba64d34f53a2fce099b0488904cc48ed35/tools/cpdb-text-frontend.c#L362	Product
https://github.com/OpenPrinting/cpdb-libs/blob/85555fba64d34f53a2fce099b0488904cc48ed35/tools/cpdb-text-frontend.c#L453	Product

URL	Date	SRC
http://www.openwall.com/lists/oss-security/2023/06/14/7	2025-02-13
https://github.com/OpenPrinting/cpdb-libs/security/advisories/GHSA-25j7-9gfc-f46x	2025-02-13

URL	Date	SRC
https://github.com/OpenPrinting/cpdb-libs/commit/f181bd1f14757c2ae0f17cc76dc20421a40f30b7	2023-06-26

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Openprinting Search vendor "Openprinting"		Cpdb-libs Search vendor "Openprinting" for product "Cpdb-libs"				>= 1.0 < 2.0 Search vendor "Openprinting" for product "Cpdb-libs" and version " >= 1.0 < 2.0"		-		Affected
Openprinting Search vendor "Openprinting"		Cpdb-libs Search vendor "Openprinting" for product "Cpdb-libs"				2.0 Search vendor "Openprinting" for product "Cpdb-libs" and version "2.0"		beta1		Affected
Openprinting Search vendor "Openprinting"		Cpdb-libs Search vendor "Openprinting" for product "Cpdb-libs"				2.0 Search vendor "Openprinting" for product "Cpdb-libs" and version "2.0"		beta2		Affected
Openprinting Search vendor "Openprinting"		Cpdb-libs Search vendor "Openprinting" for product "Cpdb-libs"				2.0 Search vendor "Openprinting" for product "Cpdb-libs" and version "2.0"		beta3		Affected
Openprinting Search vendor "Openprinting"		Cpdb-libs Search vendor "Openprinting" for product "Cpdb-libs"				2.0 Search vendor "Openprinting" for product "Cpdb-libs" and version "2.0"		beta4		Affected