CVE-2018-16863 — Incomplete List of Disallowed Inputs in Ghostscript

CWE-184 — Incomplete List of Disallowed Inputs CWE-78 — OS Command Injection6 documents6 sources

Severity

7.8HIGHNVD

EPSS

0.1%

top 75.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

7

Artifex Ghostscript Redhat Enterprise Linux Desktop Redhat Enterprise Linux Server +4 more

Timeline

PublishedDec 3

Latest updateMay 13

Description

It was found that RHSA-2018:2918 did not fully fix CVE-2018-16509. An attacker could possibly exploit another variant of the flaw and bypass the -dSAFER protection to, for example, execute arbitrary shell commands via a specially crafted PostScript document. This only affects ghostscript 9.07 as shipped with Red Hat Enterprise Linux 7.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages5 packages

▶NVDredhat/enterprise_linux_server7.0

▶NVDredhat/enterprise_linux_desktop7.0

▶NVDredhat/enterprise_linux_workstation7.0

▶CVEListV5artifex/ghostscript9.07

▶NVDartifex/ghostscript9.07

Also affects: Enterprise Linux 7.6

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

2

GHSA

GHSA-83g5-f7jm-c8fc: It was found that RHSA-2018:2918 did not fully fix CVE-2018-16509↗2022-05-13

▶

CVEList

CVE-2018-16863: It was found that RHSA-2018:2918 did not fully fix CVE-2018-16509↗2018-12-03

▶

📋Vendor Advisories

2

Red Hat

ghostscript: incomplete fix for CVE-2018-16509↗2018-12-03

▶

Debian

CVE-2018-16863: ghostscript - It was found that RHSA-2018:2918 did not fully fix CVE-2018-16509. An attacker c...↗2018

▶

💬Community

1

Bugzilla

CVE-2018-16863 ghostscript: incomplete fix for CVE-2018-16509↗2018-11-23

▶

CVE-2018-16863 — Incomplete List of Disallowed Inputs | cvebase