Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2019-6116

CWE-64813 documents9 sources

Severity

7.8HIGH

EPSS

67.5%

top 1.42%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Artifex Ghostscript Canonical Ubuntu Linux Debian Debian Linux +8 more

Timeline

PublishedMar 21

Latest updateMay 13

Description

In Artifex Ghostscript through 9.26, ephemeral or transient procedures can allow access to system operators, leading to remote code execution.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages6 packages

▶NVDartifex/ghostscript9.26

▶Debianghostscript< 9.26a~dfsg-1+3

▶NVDopensuse/leap15.0, 42.3+1

▶NVDredhat/enterprise_linux_server7.0

▶NVDredhat/enterprise_linux_desktop7.0

Also affects: Debian Linux 8.0, 9.0, Fedora 28, 29, 30, Ubuntu Linux 14.04, 16.04, 18.04, 18.10, Enterprise Linux 7.6

Patches

Patch: www.openwall.com ↗Patch: www.openwall.com ↗Patch: bugs.chromium.org ↗

🔴Vulnerability Details

GHSA

GHSA-6vrc-h32p-948x: In Artifex Ghostscript through 9↗2022-05-13

▶

OSV

CVE-2019-6116: In Artifex Ghostscript through 9↗2019-03-21

▶

CVEList

CVE-2019-6116: In Artifex Ghostscript through 9↗2019-03-19

▶

💥Exploits & PoCs

Exploit-DB

Ghostscript 9.26 - Pseudo-Operator Remote Code Execution↗2019-01-24

▶

📋Vendor Advisories

Red Hat

ghostscript: missing attack vector protections for CVE-2019-6116↗2019-05-02

▶

Red Hat

ghostscript: subroutines within pseudo-operators must themselves be pseudo-operators (700317)↗2019-01-23

▶

Ubuntu

Ghostscript vulnerability↗2019-01-23

▶

Debian

CVE-2019-6116: ghostscript - In Artifex Ghostscript through 9.26, ephemeral or transient procedures can allow...↗2019

▶

💬Community

Bugzilla

CVE-2019-3839 ghostscript: missing attack vector protections for CVE-2019-6116 [fedora-all]↗2019-09-02

▶

Bugzilla

CVE-2019-3839 ghostscript: missing attack vector protections for CVE-2019-6116↗2019-02-07

▶

Bugzilla

CVE-2019-6116 ghostscript: subroutines within pseudo-operators must themselves be pseudo-operators (700317) [fedora-all]↗2019-01-23

▶

Bugzilla

CVE-2019-6116 ghostscript: subroutines within pseudo-operators must themselves be pseudo-operators (700317)↗2019-01-16

▶