Arbitrary Command Injection in cups-filters | CVE-2024-47177

Q: How to fix?

There is no fixed version for RHEL:8 cups-filters .

Threat Intelligence

Proof of Concept

82.2% (100^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Arbitrary Command Injection vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-RHEL8-CUPSFILTERS-8102626
published27 Sept 2024
disclosed26 Sept 2024

Report a new vulnerability Found a mistake?

Introduced: 26 Sep 2024

CVE-2024-47177 (opens in a new tab) CWE-77 (opens in a new tab)

How to fix?

There is no fixed version for RHEL:8 cups-filters.

NVD Description

Note: Versions mentioned in the description apply only to the upstream cups-filters package and not the cups-filters package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

** DISPUTED ** CUPS is a standards-based, open-source printing system, and cups-filters provides backends, filters, and other software for CUPS 2.x to use on non-Mac OS systems. Any value passed to FoomaticRIPCommandLine via a PPD file will be executed as a user controlled command. When combined with other logic bugs as described in CVE-2024-47176, this can lead to remote command execution.

This vulnerability has been disputed by a third party because FoomaticRIPCommandLine is functionality that is intended to execute administrator specified code.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Local
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
Low
Integrity (VI)
High
Availability (VA)
Low

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Arbitrary Command Injection Affecting cups-filters package, versions *

Severity