CVE-2017-8291: Artifex Ghostscript through 2017-04-26 allows -dSAFER bypass and remote command execution via .rsdparams type confusion with a "/OutputFile (%pipe%" substring…

high7.8CVSS 3.1

AVLACLPRNUIRSUCHIHAH

KEVITWEXPLOIT

CISA Known Exploited Vulnerabilitydue 2022-06-14

Exploited in the wild

Artifex Ghostscript through 2017-04-26 allows -dSAFER bypass and remote command execution via .rsdparams type confusion with a "/OutputFile (%pipe%" substring in a crafted .eps document that is an input to the gs program, as exploited in the wild in April 2017.

Affected

29 ranges· showing 25

Vendor	Product	Version range	Fixed in
artifex	ghostscript	< 9.21	9.21
artifex	ghostscript	>= 0 < 9.20~dfsg-3.1	9.20~dfsg-3.1
artifex	ghostscript	>= 0 < 9.20~dfsg-3.1	9.20~dfsg-3.1
artifex	ghostscript	>= 0 < 9.20~dfsg-3.1	9.20~dfsg-3.1
artifex	ghostscript	>= 0 < 9.20~dfsg-3.1	9.20~dfsg-3.1
artifex	ghostscript	>= 0 < 9.10~dfsg-0ubuntu10.7	9.10~dfsg-0ubuntu10.7
artifex	ghostscript	>= 0 < 9.10~dfsg-0ubuntu10.9	9.10~dfsg-0ubuntu10.9
artifex	ghostscript	>= 0 < 9.18~dfsg~0-0ubuntu2.4	9.18~dfsg~0-0ubuntu2.4
artifex	ghostscript	>= 0 < 9.18~dfsg~0-0ubuntu2.6	9.18~dfsg~0-0ubuntu2.6
debian	debian_linux	—	—
debian	ghostscript	< ghostscript 9.20~dfsg-3.1 (bookworm)	ghostscript 9.20~dfsg-3.1 (bookworm)
redhat	enterprise_linux_desktop	—	—
redhat	enterprise_linux_desktop	—	—
redhat	enterprise_linux_eus	—	—
redhat	enterprise_linux_eus	—	—
redhat	enterprise_linux_eus	—	—
redhat	enterprise_linux_eus	—	—
redhat	enterprise_linux_eus	—	—
redhat	enterprise_linux_server	—	—
redhat	enterprise_linux_server	—	—
redhat	enterprise_linux_server_aus	—	—
redhat	enterprise_linux_server_aus	—	—
redhat	enterprise_linux_server_aus	—	—
redhat	enterprise_linux_server_aus	—	—
redhat	enterprise_linux_server_tus	—	—

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

osv7.8HIGH

vulncheck7.8HIGH

cisa7.8HIGH