#VU92283 Input validation error in Ghostscript - CVE-2024-33869

Cybersecurity Help s.r.o.

Published: 2024-06-19

Vulnerability identifier: #VU92283

Vulnerability risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2024-33869

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Ghostscript
Universal components / Libraries / Libraries used by multiple products

Vendor: Artifex Software, Inc.

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input when handling oaths. A remote attacker can pass specially crafted input to the application and execute arbitrary code on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Ghostscript: 9.00 - 10.03.0

External links
https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=f5336e5b4154f515ac83bc5b9eba94302e6618d4
https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=5ae2e320d69a7d0973011796bd388cd5befa1a43
https://ghostscript.readthedocs.io/en/gs10.03.1/News.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Anolis OS update for ghostscript

Multiple vulnerabilities in OpenShift API for Data Protection (OADP) 1.3

openEuler 22.03 LTS SP3 update for ghostscript

openEuler 20.03 LTS SP4 update for ghostscript

openEuler 22.03 LTS SP1 update for ghostscript

Gentoo update for GPL Ghostscript

Red Hat Enterprise Linux 9 update for ghostscript

Fedora 39 update for ghostscript

Fedora 40 update for ghostscript