Tomer-Pl

**Name of the Vulnerable Software and Affected Versions** OpenPrinting CUPS versions prior to 2.4.17 **Description** A network-adjacent attacker can send a crafted SNMP response to the CUPS SNMP backend, leading to an out-of-bounds read of up to 176 bytes past a stack buffer. The leaked memory is converted from UTF-16 to UTF-8 and stored as printer supply description strings. These strings are then visible to authenticated users through the CUPS web interface and IPP Get-Printer-Attributes responses. **Recommendations** Update to version 2.4.17.

Name of the Vulnerable Software and Affected Versions OpenPrinting CUPS versions 2.4.16 and prior Description OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. An integer underflow in the ` ppdCreateFromIPP()` function (cups/ppd-cache.c) allows a local user to crash the cupsd root process by providing a negative job-password-supported IPP attribute. The validation only limits the upper bound, allowing a negative value to pass, which is then cast to size t, wrapping to a large positive value, and used as the length argument to `memset()` on a 33-byte stack buffer. This results in a SIGSEGV in the cupsd root process, potentially leading to a denial of service when combined with systemd's Restart=on-failure setting. Recommendations Update to a version of OpenPrinting CUPS later than 2.4.16.

Name of the Vulnerable Software and Affected Versions OpenPrinting CUPS versions 2.4.16 and prior Description OpenPrinting CUPS is a printing system for Linux and Unix-like systems. A use-after-free issue exists in the CUPS scheduler (`cupsd`) when temporary printers are automatically removed. The `cupsdDeleteTemporaryPrinters()` function in `scheduler/printers.c` calls `cupsdDeletePrinter()` without first expiring subscriptions referencing the printer, resulting in a dangling pointer (`cupsd subscription t.dest`) to freed memory. Dereferencing this pointer at various code locations can cause the `cupsd` daemon to crash, leading to a denial of service. Heap grooming could potentially lead to code execution. Recommendations Update OpenPrinting CUPS to a version later than 2.4.16.

**Name of the Vulnerable Software and Affected Versions** Soft Serve versions prior to 0.11.2 **Description** Soft Serve is a self-hostable Git server for the command line. An authorization bypass exists in the LFS lock deletion endpoint. Any authenticated user with repository write access can delete locks owned by other users by setting the `force` flag. The vulnerable code path processes force deletions before retrieving user context, bypassing ownership validation. The vulnerable endpoint is '/lfs/locks/{lock id}/delete'. **Recommendations** Versions prior to 0.11.2 should be updated to version 0.11.2 or later.

**Name of the Vulnerable Software and Affected Versions** Soft Serve versions prior to 0.11.1 **Description** Soft Serve, a self-hostable Git server, contains a Server-Side Request Forgery (SSRF) issue. The application does not validate webhook URLs, which allows repository administrators to create webhooks that target internal services, private networks, and cloud metadata endpoints. This can lead to cloud metadata theft, internal network access, port scanning, data exfiltration, and internal API access. The vulnerable components include Webhook Creation (pkg/ssh/cmd/webhooks.go:125), Backend CreateWebhook (pkg/backend/webhooks.go:17), Backend UpdateWebhook (pkg/backend/webhooks.go:122), and Webhook Delivery (pkg/webhook/webhook.go:97). An example of exploitation involves creating a webhook that accesses `http://127.0.0.1:8080/internal` using the `webhook create` command. **Recommendations** Versions prior to 0.11.1 should be updated to version 0.11.1 or later.