I'm not sure the picture for the attack path is correct. There should be 3 devices involved, printer server (cups-browsed), attacker's IPP server, and the client where the fake printer will be available, right? The execution is on the client, and as lp user. There's no root involved. The author mentioned that the printer is potentially exploitable, but he didn't spend time on it and that's not what the cve's are able.
I'm not sure the picture for the attack path is correct. There should be 3 devices involved, printer server (cups-browsed), attacker's IPP server, and the client where the fake printer will be available, right? The execution is on the client, and as lp user. There's no root involved. The author mentioned that the printer is potentially exploitable, but he didn't spend time on it and that's not what the cve's are able.
Thanks, I updated to hopefully make it more clear!