Main Vulnerability Database SB2024110193

SB2024110193 - SUSE update for cups-filters

Published: November 1, 2024 Updated: November 22, 2024

Security Bulletin ID SB2024110193

Severity

High

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2024-47076)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to cfGetPrinterAttributes5 does not sanitize IPP attributes returned from an IPP server. A remote attacker can provide controlled data to the rest of the CUPS system.

2) Missing Authorization (CVE-ID: CVE-2024-47850)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to missing authorization when handling IPP UDP packets. A remote attacker can send a specially crafted IPP UDP packet requesting a printer to be added and force the application to send an HTTP POST request to an arbitrary IP address and port.

Successful exploitation of the vulnerability may allow an attacker to perform DDoS amplification attacks.

Remediation

Install update from vendor's website.

References

https://www.suse.com/support/update/announcement/2024/suse-su-20243863-1/