CVE-2019-3835Incorrect Use of Privileged APIs in Ghostscript

CWE-648Incorrect Use of Privileged APIsCWE-862Missing Authorization9 documents8 sources
Severity
5.5MEDIUMNVD
EPSS
1.6%
top 18.01%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
12
Artifex GhostscriptTHE Ghostscript Project GhostscriptDebian Linux+9 more
Timeline
PublishedMar 25
Latest updateMay 13

Description

It was found that the superexec operator was available in the internal dictionary in ghostscript before 9.27. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages8 packages

Debianartifex/ghostscript< 9.27~dfsg-1+3
NVDopensuse/leap15.0, 15.1+1

Also affects: Debian Linux 8.0, 9.0, Fedora 28, 29, 30, Enterprise Linux 7.6

🔴Vulnerability Details

3
GHSA
GHSA-22vx-j9g4-5q8f: It was found that the superexec operator was available in the internal dictionary in ghostscript before 92022-05-13
CVEList
CVE-2019-3835: It was found that the superexec operator was available in the internal dictionary in ghostscript before 92019-03-25
OSV
CVE-2019-3835: It was found that the superexec operator was available in the internal dictionary in ghostscript before 92019-03-25

📋Vendor Advisories

3
Ubuntu
Ghostscript vulnerabilities2019-03-21
Red Hat
ghostscript: superexec operator is available (700585)2019-03-21
Debian
CVE-2019-3835: ghostscript - It was found that the superexec operator was available in the internal dictionar...2019

💬Community

2
Bugzilla
CVE-2019-3835 ghostscript: superexec operator is available (700585) [fedora-all]2019-03-21
Bugzilla
CVE-2019-3835 ghostscript: superexec operator is available (700585)2019-02-15
CVE-2019-3835 — Incorrect Use of Privileged APIs | cvebase