#VU92284 Input validation error in Ghostscript - CVE-2024-33870

Cybersecurity Help s.r.o.

Published: 2024-06-19

Vulnerability identifier: #VU92284

Vulnerability risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2024-33870

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Ghostscript
Universal components / Libraries / Libraries used by multiple products

Vendor: Artifex Software, Inc.

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input when handling oaths. A remote attacker can pass specially crafted input to the application and execute arbitrary code on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Ghostscript: 9.00 - 10.03.0

External links
http://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=79aef19c685984dc3da2dc090450407d9fbcff80
http://ghostscript.readthedocs.io/en/gs10.03.1/News.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in OpenShift API for Data Protection (OADP) 1.3

openEuler 22.03 LTS SP3 update for ghostscript

openEuler 20.03 LTS SP4 update for ghostscript

openEuler 22.03 LTS SP1 update for ghostscript

Gentoo update for GPL Ghostscript

Red Hat Enterprise Linux 9 update for ghostscript

Oracle Solaris update for thrid-party components

Debian update for ghostscript

SUSE update for ghostscript