CVE-2010-2055 — GPL Ghostscript vulnerability

CWE-1711 documents7 sources

Severity

7.2HIGHNVD

EPSS

0.1%

top 80.00%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Artifex Ghostscript Artifex GPL Ghostscript Artifex Afpl Ghostscript +1 more

Timeline

PublishedJul 22

Latest updateMay 17

Description

Ghostscript 8.71 and earlier reads initialization files from the current working directory, which allows local users to execute arbitrary PostScript commands via a Trojan horse file, related to improper support for the -P- option to the gs program, as demonstrated using gs_init.ps, a different vulnerability than CVE-2010-4820.

CVSS vector

AV:L/AC:L/C:C/I:C/A:CExploitability: 3.9 | Impact: 10.0

Affected Packages4 packages

▶Debianartifex/ghostscript< 8.71~dfsg2-6.1+3

▶NVDartifex/gpl_ghostscript8.71+13

▶NVDartifex/afpl_ghostscript16 versions+15

▶NVDartifex/ghostscript_fonts6.0, 8.11+1

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-pxh5-rx4p-mm6h: Ghostscript 8↗2022-05-17

▶

CVEList

CVE-2010-2055: Ghostscript 8↗2010-07-22

▶

OSV

CVE-2010-2055: Ghostscript 8↗2010-07-22

▶

📋Vendor Advisories

Red Hat

ghostscript: gs_init.ps searched in current directory despite -P-↗2010-05-26

▶

Red Hat

ghostscript: CWD included in the default library search path↗2010-05-26

▶

Debian

CVE-2010-2055: ghostscript - Ghostscript 8.71 and earlier reads initialization files from the current working...↗2010

▶

💬Community

Bugzilla

ghostcript (various many shell scripts): CWD included in the default script search path↗2013-01-07

▶

Bugzilla

CVE-2010-4820 ghostscript: CWD included in the default library search path↗2012-01-05

▶

Bugzilla

CVE-2010-2055 CVE-2009-3743 ghostscript various flaws [fedora-all]↗2011-11-22

▶

Bugzilla

CVE-2010-2055 ghostscript: gs_init.ps searched in current directory despite -P-↗2010-06-03

▶