#VU15785 Improper input validation in Ghostscript - CVE-2018-16541

Cybersecurity Help s.r.o.

Published: 2018-11-09 | Updated: 2018-11-09

Vulnerability identifier: #VU15785

Vulnerability risk: Low

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-16541

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Ghostscript
Universal components / Libraries / Libraries used by multiple products

Vendor: Artifex Software, Inc.

Description
The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to insufficient validation of user-supplied input. A remote attacker can supply crafted PostScript files, use incorrect free logic in pagedevice replacement and crash the interpreter.

Mitigation
Update to version 9.24.

Vulnerable software versions

Ghostscript: 5.50 - 9.23

External links
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=241d91112771a6104de10b3948c3f350d6690c1d

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Red Hat update for ghostscript

OpenSUSE Linux update for MozillaThunderbird