Permissions, Privileges, and Access Controls in ghostscript (Alpine package)



Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2019-14811
CWE-ID CWE-264
Exploitation vector Network
Public exploit N/A
Vulnerable software
 ghostscript (Alpine package)
Operating systems & Components / Operating system package or component

Vendor Alpine Linux Development Team

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU20468

Risk: Low

CVSSv4.0: 0.4 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-14811

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to unrestricted access to .forceput in .pdf_hook_DSC_Creator. A remote attacker can create a specially crafted PDF file, trick the victim to open it and gain access to arbitrary files on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

ghostscript (Alpine package): 9.04-r0 - 9.26-r3

ghostscript (Alpine package):

CPE2.3 External links

https://git.alpinelinux.org/aports/commit/?id=743e9bd4848ed6040e641fbe96e145887fd8beb6
https://git.alpinelinux.org/aports/commit/?id=d523278cd6edc33481e4d0d111f3e2d00ee34033
https://git.alpinelinux.org/aports/commit/?id=ea68e3cb473042136c9f22682b51d67c84cadba4
https://git.alpinelinux.org/aports/commit/?id=47e96eb4a65356706c4e6344e74859d045d38237
https://git.alpinelinux.org/aports/commit/?id=e275fe1eba5405bf6ed69734d53ef0325c507419


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###