Arbitrary Command Injection in cups-filters | CVE-2024-47177

Q: How to fix?

There is no fixed version for Debian:unstable cups-filters .

Threat Intelligence

Proof of concept

0.04% (12^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Arbitrary Command Injection vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-DEBIANUNSTABLE-CUPSFILTERS-8098338
published27 Sept 2024
disclosed26 Sept 2024

Report a new vulnerability Found a mistake?

Introduced: 26 Sep 2024

CVE-2024-47177 (opens in a new tab) CWE-77 (opens in a new tab)

How to fix?

There is no fixed version for Debian:unstable cups-filters.

NVD Description

Note: Versions mentioned in the description apply only to the upstream cups-filters package and not the cups-filters package as distributed by Debian. See How to fix? for Debian:unstable relevant fixed versions and status.

CUPS is a standards-based, open-source printing system, and cups-filters provides backends, filters, and other software for CUPS 2.x to use on non-Mac OS systems. Any value passed to FoomaticRIPCommandLine via a PPD file will be executed as a user controlled command. When combined with other logic bugs as described in CVE_2024-47176, this can lead to remote command execution.

References

CVSS Scores

version 4.0

version 3.1

Attack Vector (AV)
Local
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
Low
Integrity (VI)
High
Availability (VA)
Low

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Arbitrary Command Injection Affecting cups-filters package, versions *

Severity