CVE-2024-47076

EUVD-2024-42263
CUPS is a standards-based, open-source printing system, and `libcupsfilters` contains the code of the filters of the former `cups-filters` package as library functions to be used for the data format conversion tasks needed in Printer Applications. The `cfGetPrinterAttributes5` function in `libcupsfilters` does not sanitize IPP attributes returned from an IPP server. When these IPP attributes are used, for instance, to generate a PPD file, this can lead to attacker controlled data to be provided to the rest of the CUPS system.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.6 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
GitHub_MCNA
8.6 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 98%
Affected Products (NVD)
VendorProductVersion
openprintinglibcupsfilters
𝑥
≤ 2.0.0
openprintinglibcupsfilters
2.1:beta1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
cups-filters
bookworm
1.28.17-3+deb12u1
fixed
bookworm (security)
1.28.17-3+deb12u1
fixed
bullseye
vulnerable
bullseye (security)
1.28.7-1+deb11u4
fixed
forky
1.28.17-7
fixed
sid
1.28.17-7
fixed
trixie
1.28.17-6
fixed
libcupsfilters
forky
2.1.1-2
fixed
sid
2.1.1-2
fixed
trixie
2.0.0-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libcupsfilters
focal
dne
jammy
dne
noble
Fixed 2.0.0-0ubuntu7.1
released
oracular
Fixed 2.1~b1-0ubuntu3
released
plucky
Fixed 2.1~b1-0ubuntu3
released
questing
Fixed 2.1~b1-0ubuntu3
released
cups-filters
bionic
not-affected
focal
Fixed 1.27.4-1ubuntu0.4
released
jammy
Fixed 1.28.15-0ubuntu1.4
released
noble
not-affected
oracular
not-affected
plucky
not-affected
questing
not-affected
xenial
not-affected
Common Weakness Enumeration
References
https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8
https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-p9rh-jxmq-gq47
https://github.com/OpenPrinting/libcupsfilters/security/advisories/GHSA-w63j-6g73-wmg5
https://github.com/OpenPrinting/libppd/security/advisories/GHSA-7xfx-47qg-grp6
https://www.cups.org
https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I
https://github.com/OpenPrinting/libcupsfilters/commit/95576ec3d20c109332d14672a807353cdc551018
https://lists.debian.org/debian-lts-announce/2024/09/msg00048.html
https://security.netapp.com/advisory/ntap-20241011-0001/