CVE-2019-14813

CWE-648CWE-863Incorrect Authorization10 documents8 sources
Severity
9.8CRITICAL
EPSS
8.5%
top 7.65%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
13
Artifex GhostscriptArtifex Software GhostscriptDebian Debian Linux+10 more
Timeline
PublishedSep 6
Latest updateMay 24

Description

A flaw was found in ghostscript, versions 9.x before 9.50, in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages8 packages

Debianghostscript< 9.28~~rc2~dfsg-1+3
Ubuntughostscript< 9.26~dfsg+0-0ubuntu0.16.04.11+1
NVDartifex/ghostscript9.009.50
CVEListV5artifex_software/ghostscriptghostscript versions 9.x before 9.28
NVDopensuse/leap15.0, 15.1+1

Also affects: Debian Linux 10.0, 8.0, 9.0, Fedora 29, 30, 31, Enterprise Linux 7.0, 8.0, 7.7, Openshift Container Platform 3.11, 4.1

Patches

Patch: bugzilla.redhat.comPatch: bugzilla.redhat.com

🔴Vulnerability Details

4
GHSA
GHSA-r3w6-mj6m-w4m6: A flaw was found in ghostscript, versions 92022-05-24
CVEList
CVE-2019-14813: A flaw was found in ghostscript, versions 92019-09-06
OSV
CVE-2019-14813: A flaw was found in ghostscript, versions 92019-09-06
OSV
ghostscript vulnerabilities2019-08-29

📋Vendor Advisories

3
Ubuntu
Ghostscript vulnerabilities2019-08-29
Red Hat
ghostscript: Safer mode bypass by .forceput exposure in setsystemparams (701443)2019-08-28
Debian
CVE-2019-14813: ghostscript - A flaw was found in ghostscript, versions 9.x before 9.50, in the setsystemparam...2019

💬Community

2
Bugzilla
CVE-2019-14813 ghostscript: Safer mode bypass by .forceput exposure in setsystemparams (701443) [fedora-all]2019-09-02
Bugzilla
CVE-2019-14813 ghostscript: Safer mode bypass by .forceput exposure in setsystemparams (701443)2019-08-20