CVE-2024-33871 — Code Injection in Ghostscript

CWE-94 — Code Injection CWE-20 — Improper Input Validation7 documents7 sources

Severity

8.8HIGHNVD

EPSS

0.7%

top 27.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Artifex Ghostscript

Timeline

PublishedJul 3

Description

An issue was discovered in Artifex Ghostscript before 10.03.1. contrib/opvp/gdevopvp.c allows arbitrary code execution via a custom Driver library, exploitable via a crafted PostScript document. This occurs because the Driver parameter for opvp (and oprp) devices can have an arbitrary name for a dynamic library; this library is then loaded.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDartifex/ghostscript< 10.03.1

▶Debianartifex/ghostscript< 9.53.3~dfsg-7+deb11u7+3

Patches

Patch: cgit.ghostscript.com ↗Patch: cgit.ghostscript.com ↗

🔴Vulnerability Details

CVEList

CVE-2024-33871: An issue was discovered in Artifex Ghostscript before 10↗2024-07-03

▶

GHSA

GHSA-mq7h-fm69-h6xq: An issue was discovered in Artifex Ghostscript before 10↗2024-07-03

▶

OSV

CVE-2024-33871: An issue was discovered in Artifex Ghostscript before 10↗2024-07-03

▶

📋Vendor Advisories

Ubuntu

Ghostscript vulnerabilities↗2024-06-17

▶

Red Hat

ghostscript: OPVP device arbitrary code execution via custom Driver library↗2024-05-02

▶

Debian

CVE-2024-33871: ghostscript - An issue was discovered in Artifex Ghostscript before 10.03.1. contrib/opvp/gdev...↗2024

▶