CVE-2024-33869 — Path Traversal in Ghostscript

CWE-22 — Path Traversal CWE-23 — Relative Path Traversal7 documents7 sources

Severity

5.3MEDIUMNVD

EPSS

0.0%

top 97.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Artifex Ghostscript

Timeline

PublishedJul 3

Description

An issue was discovered in Artifex Ghostscript before 10.03.1. Path traversal and command execution can occur (via a crafted PostScript document) because of path reduction in base/gpmisc.c. For example, restrictions on use of %pipe% can be bypassed via the aa/../%pipe%command# output filename.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:LExploitability: 1.8 | Impact: 3.4

Affected Packages2 packages

▶NVDartifex/ghostscript< 10.03.1

▶Debianartifex/ghostscript< 9.53.3~dfsg-7+deb11u7+3

🔴Vulnerability Details

OSV

CVE-2024-33869: An issue was discovered in Artifex Ghostscript before 10↗2024-07-03

▶

GHSA

GHSA-v6hc-9c6c-f599: An issue was discovered in Artifex Ghostscript before 10↗2024-07-03

▶

CVEList

CVE-2024-33869: An issue was discovered in Artifex Ghostscript before 10↗2024-07-03

▶

📋Vendor Advisories

Ubuntu

Ghostscript vulnerabilities↗2024-06-17

▶

Red Hat

ghostscript: path traversal and command execution due to path reduction↗2024-05-16

▶

Debian

CVE-2024-33869: ghostscript - An issue was discovered in Artifex Ghostscript before 10.03.1. Path traversal an...↗2024

▶