CVE-2024-46953

CWE-190 — Integer Overflow9 documents7 sources

Severity

7.8HIGH

EPSS

0.1%

top 69.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Artifex Ghostscript Debian Debian Linux Suse Linux Enterprise High Performance Computing +2 more

Timeline

PublishedNov 10

Latest updateDec 5

Description

An issue was discovered in base/gsdevice.c in Artifex Ghostscript before 10.04.0. An integer overflow when parsing the filename format string (for the output filename) results in path truncation, and possible path traversal and code execution.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages5 packages

▶NVDartifex/ghostscript< 10.04.0

▶Debianghostscript< 9.53.3~dfsg-7+deb11u9+3

▶Ubuntughostscript< 9.50~dfsg-5ubuntu4.14+2

▶NVDsuse/linux_enterprise_server12

▶NVDsuse/linux_enterprise_high_performance_computing12.0

Also affects: Debian Linux 12.0, Linux Enterprise 12

Patches

Patch: cgit.ghostscript.com ↗

🔴Vulnerability Details

OSV

ghostscript vulnerabilities↗2024-11-12

▶

GHSA

GHSA-qxhf-m3mr-36x5: An issue was discovered in base/gsdevice↗2024-11-11

▶

CVEList

CVE-2024-46953: An issue was discovered in base/gsdevice↗2024-11-10

▶

OSV

CVE-2024-46953: An issue was discovered in base/gsdevice↗2024-11-10

▶

📋Vendor Advisories

Ubuntu

Ghostscript vulnerabilities↗2024-12-05

▶

Ubuntu

Ghostscript vulnerabilities↗2024-11-12

▶

Red Hat

ghostscript: Path Traversal and Code Execution via Integer Overflow in Ghostscript↗2024-11-10

▶

Debian

CVE-2024-46953: ghostscript - An issue was discovered in base/gsdevice.c in Artifex Ghostscript before 10.04.0...↗2024

▶