CVE-2018-15911Use of Uninitialized Resource in GPL Ghostscript

CWE-908Use of Uninitialized ResourceCWE-456Missing Initialization of a Variable9 documents8 sources
Severity
7.8HIGHNVD
EPSS
2.7%
top 14.11%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
11
Artifex GhostscriptArtifex GPL GhostscriptPulsesecure Pulse Connect Secure+8 more
Timeline
PublishedAug 28
Latest updateMay 13

Description

In Artifex Ghostscript 9.23 before 2018-08-24, attackers able to supply crafted PostScript could use uninitialized memory access in the aesdecode operator to crash the interpreter or potentially execute code.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages7 packages

Debianartifex/ghostscript< 9.22~dfsg-3+3
NVDpulsesecure/pulse_connect_secure8.2r1.08.2r12.1+2

Also affects: Debian Linux 8.0, 9.0, Ubuntu Linux 14.04, 16.04, 18.04, Enterprise Linux 7.6

Patches

Patch: kb.pulsesecure.netPatch: www.kb.cert.orgPatch: kb.pulsesecure.net

🔴Vulnerability Details

3
GHSA
GHSA-qm8r-ppx2-rghp: In Artifex Ghostscript 92022-05-13
CVEList
CVE-2018-15911: In Artifex Ghostscript 92018-08-28
OSV
CVE-2018-15911: In Artifex Ghostscript 92018-08-28

📋Vendor Advisories

3
Ubuntu
Ghostscript vulnerabilities2018-09-19
Red Hat
ghostscript: Uninitialized memory access in the aesdecode operator (699665)2018-09-06
Debian
CVE-2018-15911: ghostscript - In Artifex Ghostscript 9.23 before 2018-08-24, attackers able to supply crafted ...2018

💬Community

2
Bugzilla
CVE-2018-15911 ghostscript: Uninitialized memory access in the aesdecode operator (699665)2018-09-06
Bugzilla
CVE-2018-15911 ghostscript: uninitialized memory access in the aesdecode operator (699665) [fedora-all]2018-09-06
CVE-2018-15911 — Use of Uninitialized Resource | cvebase