CVE-2025-58060: 
Rocky Linux vulnerability analysis and mitigation

OpenPrinting CUPS, an open source printing system for Linux and Unix-like operating systems, was found to contain an authentication bypass vulnerability (CVE-2025-58060). In versions 2.4.12 and earlier, when the AuthType is configured to anything other than Basic, if the request contains an Authorization: Basic header, the password verification step is bypassed, leading to potential unauthorized access (NVD, GitHub Advisory).

The vulnerability exists in the authentication handling mechanism of CUPS. Specifically, when the Authorization header is set to Basic, but the cupsdAuthorize type in scheduler/auth.c is not CUPSDAUTHBASIC, the password verification step is completely skipped. The vulnerability has been assigned a CVSS v3.1 base score of 8.0 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H, indicating local attack vector, low attack complexity, no privileges required, and high impact on integrity and availability (GitHub Advisory).

The vulnerability allows for authentication bypass in CUPS installations. Any configuration that permits an AuthType other than Basic is affected. An attacker could potentially gain unauthorized access to the CUPS printing system by exploiting this vulnerability, leading to high impacts on system integrity and availability, with a lower impact on confidentiality (GitHub Advisory).

The vulnerability has been fixed in CUPS version 2.4.13. Users are advised to upgrade to this version or later. The fix involves blocking authentication attempts using alternate methods when Basic authentication is not enabled (GitHub Patch).