#VU35883 Information disclosure in Ghostscript - CVE-2017-15652

Cybersecurity Help s.r.o.

Published: 2019-05-23 | Updated: 2020-08-08

Vulnerability identifier: #VU35883

Vulnerability risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2017-15652

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Ghostscript
Universal components / Libraries / Libraries used by multiple products

Vendor: Artifex Software, Inc.

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Artifex Ghostscript 9.22 is affected by: Obtain Information. The impact is: obtain sensitive information. The component is: affected source code file, affected function, affected executable, affected libga (imagemagick used that). The attack vector is: Someone must open a postscript file though ghostscript. Because of imagemagick also use libga, so it was affected as well.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Ghostscript: 9.22

External links
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2fc463d0e
https://www.securityfocus.com/bid/108463
https://bugs.ghostscript.com/show_bug.cgi?id=698676

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Information disclosure in Ghostscript