CVE-2024-47175

CRITICAL9.8EPSS 36.8%

cups - security update

Published: 9/26/2024Modified: 4/28/2026

Description

CUPS is a standards-based, open-source printing system, and `libppd` can be used for legacy PPD file support. The `libppd` function `ppdCreatePPDFromIPP2` does not sanitize IPP attributes when creating the PPD buffer. When used in combination with other functions such as `cfGetPrinterAttributes5`, can result in user controlled input and ultimately code execution via Foomatic. This vulnerability can be part of an exploit chain leading to remote code execution (RCE), as described in CVE-2024-47176.

Affected packages (4)

Alpine/cupsfrom 0, < 2.4.9-r1
Debian/cupsfrom 0, < 2.3.3op2-3+deb11u9
Debian/cupsfrom 0, < 2.3.3op2-3+deb11u9
Debian/cupsfrom 0, < 2.4.2-3+deb12u8

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (2)

ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2024-47175
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2024-47175