CVE-2024-47177

2024-09-2622:15:04

Debian Security Bug Tracker

security-tracker.debian.org

cups 2.x

remote command execution

ppd files

unix

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

7.5

Confidence

Low

EPSS

Percentile

10.9%

JSON

CUPS is a standards-based, open-source printing system, and cups-filters provides backends, filters, and other software for CUPS 2.x to use on non-Mac OS systems. Any value passed to FoomaticRIPCommandLine via a PPD file will be executed as a user controlled command. When combined with other logic bugs as described in CVE_2024-47176, this can lead to remote command execution.

OSVersionArchitecturePackageVersionFilename
Debian12allcups-filters<= 1.28.17-3cups-filters_1.28.17-3_all.deb
Debian11allcups-filters<= 1.28.7-1+deb11u2cups-filters_1.28.7-1+deb11u2_all.deb
Debian999allcups-filters<= 1.28.17-5cups-filters_1.28.17-5_all.deb
Debian13allcups-filters<= 1.28.17-4.1cups-filters_1.28.17-4.1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	cups-filters	<= 1.28.17-3	cups-filters_1.28.17-3_all.deb
Debian	11	all	cups-filters	<= 1.28.7-1+deb11u2	cups-filters_1.28.7-1+deb11u2_all.deb
Debian	999	all	cups-filters	<= 1.28.17-5	cups-filters_1.28.17-5_all.deb
Debian	13	all	cups-filters	<= 1.28.17-4.1	cups-filters_1.28.17-4.1_all.deb