CVE-2024-47176
Publication date 6 October 2024
Last updated 9 October 2024
Ubuntu priority
Cvss 3 Severity Score
CUPS is a standards-based, open-source printing system, and `cups-browsed` contains network printing functionality including, but not limited to, auto-discovering print services and shared printers. `cups-browsed` binds to `INADDR_ANY:631`, causing it to trust any packet from any source, and can cause the `Get-Printer-Attributes` IPP request to an attacker controlled URL. When combined with other vulnerabilities, such as CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177, an attacker can execute arbitrary commands remotely on the target machine without authentication when a malicious printer is printed to.
Status
Package | Ubuntu Release | Status |
---|---|---|
cups-browsed | 24.04 LTS noble |
Fixed 2.0.0-0ubuntu10.1
|
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Not in release | |
cups-filters | 24.04 LTS noble |
Not affected
|
22.04 LTS jammy |
Fixed 1.28.15-0ubuntu1.3
|
|
20.04 LTS focal |
Fixed 1.27.4-1ubuntu0.3
|
|
18.04 LTS bionic |
Fixed 1.20.2-0ubuntu3.3+esm1
|
|
16.04 LTS xenial |
Fixed 1.8.3-2ubuntu3.5+esm2
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu ProNotes
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.5 · High |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | None |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-7042-1
- cups-browsed vulnerability
- 26 September 2024
- USN-7043-1
- cups-filters vulnerabilities
- 26 September 2024
- USN-7043-2
- cups-filters vulnerability
- 1 October 2024
- USN-7043-3
- cups-filters vulnerability
- 7 October 2024
- USN-7042-2
- cups-browsed vulnerability
- 9 October 2024
- USN-7043-4
- cups-filters vulnerabilities
- 9 October 2024
- USN-7042-3
- cups-browsed vulnerability
- 21 October 2024
Other references
- https://www.cve.org/CVERecord?id=CVE-2024-47176
- https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8
- https://sne.bianheman.eu.org/blog/cups-remote-code-execution-vulnerability-fix-available
- https://github.com/OpenPrinting/cups-filters/commit/6fd2bdfbdce (legacy 1.5.x)