Input validation error in Ghostscript



| Updated: 2020-08-08
Risk High
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2018-16543
CWE-ID CWE-20
Exploitation vector Network
Public exploit N/A
Vulnerable software
 Ghostscript
Universal components / Libraries / Libraries used by multiple products

Vendor Artifex Software, Inc.

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Input validation error

EUVDB-ID: #VU36726

Risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2018-16543

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

In Artifex Ghostscript before 9.24, gssetresolution and gsgetresolution allow attackers to have an unspecified impact.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Ghostscript: 9.00 - 9.23

CPE2.3 External links

https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=5b5536fa88a9e885032bc0df3852c3439399a5c0
https://bugs.ghostscript.com/show_bug.cgi?id=699670
https://lists.debian.org/debian-lts-announce/2018/09/msg00038.html
https://security.gentoo.org/glsa/201811-12
https://usn.ubuntu.com/3768-1/
https://www.debian.org/security/2018/dsa-4288


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###