CVE-2019-3838

CWE-6489 documents8 sources
Severity
5.5MEDIUM
EPSS
1.4%
top 19.82%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
13
Artifex GhostscriptTHE Ghostscript Project GhostscriptDebian Debian Linux+10 more
Timeline
PublishedMar 25
Latest updateMay 13

Description

It was found that the forceput operator could be extracted from the DefineResource method in ghostscript before 9.27. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages8 packages

Debianghostscript< 9.27~dfsg-1+3
NVDopensuse/leap15.0, 42.3+1

Also affects: Debian Linux 8.0, 9.0, Fedora 28, 29, 30, Enterprise Linux 5.0, 6.0, 7.6

Patches

Patch: bugs.ghostscript.comPatch: bugs.ghostscript.com

🔴Vulnerability Details

3
GHSA
GHSA-wvh9-rmg8-crq6: It was found that the forceput operator could be extracted from the DefineResource method in ghostscript before 92022-05-13
OSV
CVE-2019-3838: It was found that the forceput operator could be extracted from the DefineResource method in ghostscript before 92019-03-25
CVEList
CVE-2019-3838: It was found that the forceput operator could be extracted from the DefineResource method in ghostscript before 92019-03-25

📋Vendor Advisories

3
Ubuntu
Ghostscript vulnerabilities2019-03-21
Red Hat
ghostscript: forceput in DefineResource is still accessible (700576)2019-03-21
Debian
CVE-2019-3838: ghostscript - It was found that the forceput operator could be extracted from the DefineResour...2019

💬Community

2
Bugzilla
CVE-2019-3838 ghostscript: forceput in DefineResource is still accessible (700576) [fedora-all]2019-03-21
Bugzilla
CVE-2019-3838 ghostscript: forceput in DefineResource is still accessible (700576)2019-02-15
CVE-2019-3838 (MEDIUM CVSS 5.5) | It was found that the forceput oper | cvebase.io