CVE-2024-47076
Published: 26 September 2024
Summary
CVE-2024-47076 is a high-severity Improper Input Validation (CWE-20) vulnerability in Openprinting Libcupsfilters. Its CVSS base score is 8.6 (High).
Operationally, ranked in the top 1.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The vulnerability is an input sanitization flaw (CWE-20) in the cfGetPrinterAttributes5 function within libcupsfilters, a component of the CUPS printing system that handles IPP attribute processing and PPD file generation for printer applications. It affects versions of libcupsfilters, cups-filters, libppd, and cups-browsed maintained by OpenPrinting, allowing unsanitized data returned from remote IPP servers to propagate into other CUPS components.
An unauthenticated remote attacker can supply malicious IPP attributes from a rogue or compromised IPP server. When CUPS processes these attributes—for example during printer discovery or PPD generation—the attacker-controlled data can alter system behavior, resulting in high-integrity impact without requiring user interaction or local access.
Security advisories published by OpenPrinting for the affected repositories detail the issue and point to updated versions that address the lack of sanitization; the CUPS project site also provides related guidance.
The EPSS score has reached approximately 0.76, indicating substantial exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-42263
Vulnerability details
CUPS is a standards-based, open-source printing system, and `libcupsfilters` contains the code of the filters of the former `cups-filters` package as library functions to be used for the data format conversion tasks needed in Printer Applications. The `cfGetPrinterAttributes5` function in…
more
`libcupsfilters` does not sanitize IPP attributes returned from an IPP server. When these IPP attributes are used, for instance, to generate a PPD file, this can lead to attacker controlled data to be provided to the rest of the CUPS system.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.
Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.
Directly implements checks on information inputs to reject invalid data before processing.
Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.