CVE-2014-3741

Name of the Vulnerable Software and Affected Versions node-printer versions 0.0.1 and earlier

Description The issue is related to the printDirect function in the node-printer module, which allows remote attackers to execute arbitrary commands via unspecified characters in the lpr command. This is due to a lack of input data sanitization. The vulnerability can be exploited to execute arbitrary commands. Researchers have demonstrated the potential for attacks, including DDoS, denial of service, and man-in-the-middle attacks, by exploiting vulnerabilities in printers. It is estimated that tens of thousands of devices are potentially vulnerable, with the most vulnerable devices found in countries such as Germany, Russia, France, Netherlands, and the United Kingdom.

Recommendations For node-printer versions 0.0.1 and earlier, update to version 0.0.2 or later. As a temporary workaround, consider disabling the printDirect() function until a patch is available. Restrict access to the lpr command to minimize the risk of exploitation. Avoid using the lpr command in the affected API endpoint until the issue is resolved.