Artifex Ghostscript vulnerabilities
168 known vulnerabilities affecting artifex/ghostscript.
Total CVEs
168
CISA KEV
1
actively exploited
Public exploits
7
Exploited in wild
3
Severity breakdown
CRITICAL23HIGH70MEDIUM73LOW2
Vulnerabilities
Page 2 of 9
CVE-2024-33871P3HIGHCVSS 8.8fixed in 10.03.12024-07-03
CVE-2024-33871 [HIGH] CWE-94 CVE-2024-33871: An issue was discovered in Artifex Ghostscript before 10.03.1. contrib/opvp/gdevopvp.c allows arbitr
An issue was discovered in Artifex Ghostscript before 10.03.1. contrib/opvp/gdevopvp.c allows arbitrary code execution via a custom Driver library, exploitable via a crafted PostScript document. This occurs because the Driver parameter for opvp (and oprp) devices can have an arbitrary name for a dynamic library; this library is then loaded.
nvdosv
CVE-2018-19475P3HIGHCVSS 7.8fixed in 9.262018-11-23
CVE-2018-19475 [HIGH] CVE-2018-19475: psi/zdevice2.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access
psi/zdevice2.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because available stack space is not checked when the device remains the same.
nvdosv
CVE-2018-19409P3CRITICALCVSS 9.8fixed in 9.262018-11-21
CVE-2018-19409 [CRITICAL] CVE-2018-19409: An issue was discovered in Artifex Ghostscript before 9.26. LockSafetyParams is not checked correctl
An issue was discovered in Artifex Ghostscript before 9.26. LockSafetyParams is not checked correctly if another device is used.
nvdosv
CVE-2009-0196P3CRITICALCVSS 9.3≥ 0, < 8.64~dfsg-1.12009-04-16
CVE-2009-0196 [CRITICAL] CVE-2009-0196: Heap-based buffer overflow in the big2_decode_symbol_dict function (jbig2_symbol_dict
Heap-based buffer overflow in the big2_decode_symbol_dict function (jbig2_symbol_dict.c) in the JBIG2 decoding library (jbig2dec) in Ghostscript 8.64, and probably earlier versions, allows remote attackers to execute arbitrary code via a PDF file with a JBIG2 symbol dictionary segment with a large run length value.
osv
CVE-2020-15900P3CRITICALCVSS 9.8v9.50v9.522020-07-28
CVE-2020-15900 [CRITICAL] CWE-191 CVE-2020-15900: A memory corruption issue was found in Artifex Ghostscript 9.50 and 9.52. Use of a non-standard Post
A memory corruption issue was found in Artifex Ghostscript 9.50 and 9.52. Use of a non-standard PostScript operator can allow overriding of file access controls. The 'rsearch' calculation for the 'post' size resulted in a size that was too large, and could underflow to max uint32_t. This was fixed in commit 5d499272b95a6b890a1397e11d20937de000d31b
nvdosv
CVE-2009-3743P3CRITICALCVSS 9.3≥ 0, < 8.71~dfsg-12010-08-26
CVE-2009-3743 [CRITICAL] CVE-2009-3743: Off-by-one error in the Ins_MINDEX function in the TrueType bytecode interpreter in Ghostscript before 8
Off-by-one error in the Ins_MINDEX function in the TrueType bytecode interpreter in Ghostscript before 8.71 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a malformed TrueType font in a document that trigger an integer overflow and a heap-based buffer overflow.
osv
CVE-2024-29506P3HIGHCVSS 8.8fixed in 10.03.02024-07-03
CVE-2024-29506 [HIGH] CWE-787 CVE-2024-29506: Artifex Ghostscript before 10.03.0 has a stack-based buffer overflow in the pdfi_apply_filter() func
Artifex Ghostscript before 10.03.0 has a stack-based buffer overflow in the pdfi_apply_filter() function via a long PDF filter name.
nvdosv
CVE-2020-36773P3CRITICALCVSS 9.8v9.51v9.52+2 more2024-02-04
CVE-2020-36773 [CRITICAL] CWE-416 CVE-2020-36773: Artifex Ghostscript before 9.53.0 has an out-of-bounds write and use-after-free in devices/vector/gd
Artifex Ghostscript before 9.53.0 has an out-of-bounds write and use-after-free in devices/vector/gdevtxtw.c (for txtwrite) because a single character code in a PDF document can map to more than one Unicode code point (e.g., for a ligature).
nvdosv
CVE-2010-1628P3CRITICALCVSS 9.3≥ 0, < 8.71~dfsg2-42010-05-19
CVE-2010-1628 [CRITICAL] CVE-2010-1628: Ghostscript 8
Ghostscript 8.64, 8.70, and possibly other versions allows context-dependent attackers to execute arbitrary code via a PostScript file containing unlimited recursive procedure invocations, which trigger memory corruption in the stack of the interpreter.
osv
CVE-2009-4270P3CRITICALCVSS 9.3≥ 0, < 8.70~dfsg-2.12009-12-21
CVE-2009-4270 [CRITICAL] CVE-2009-4270: Stack-based buffer overflow in the errprintf function in base/gsmisc
Stack-based buffer overflow in the errprintf function in base/gsmisc.c in ghostscript 8.64 through 8.70 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PDF file, as originally reported for debug logging code in gdevcups.c in the CUPS output driver.
osv
CVE-2019-14811P3HIGHCVSS 7.8fixed in 9.502019-09-03
CVE-2019-14811 [HIGH] CWE-648 CVE-2019-14811: A flaw was found in, ghostscript versions prior to 9.50, in the .pdf_hook_DSC_Creator procedure wher
A flaw was found in, ghostscript versions prior to 9.50, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.
nvdosv
CVE-2011-4517P3MEDIUMCVSS 6.8≥ 0, < 8.64~dfsg-22011-12-15
CVE-2011-4517 [MEDIUM] CVE-2011-4517: The jpc_crg_getparms function in libjasper/jpc/jpc_cs
The jpc_crg_getparms function in libjasper/jpc/jpc_cs.c in JasPer 1.900.1 uses an incorrect data type during a certain size calculation, which allows remote attackers to trigger a heap-based buffer overflow and execute arbitrary code, or cause a denial of service (heap memory corruption), via a crafted component registration (CRG) marker segment in a JPEG2000 file.
osv
CVE-2011-4516P3MEDIUMCVSS 6.8≥ 0, < 8.64~dfsg-22011-12-15
CVE-2011-4516 [MEDIUM] CVE-2011-4516: Heap-based buffer overflow in the jpc_cox_getcompparms function in libjasper/jpc/jpc_cs
Heap-based buffer overflow in the jpc_cox_getcompparms function in libjasper/jpc/jpc_cs.c in JasPer 1.900.1 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted numrlvls value in a coding style default (COD) marker segment in a JPEG2000 file.
osv
CVE-2024-29511P3HIGHCVSS 7.5fixed in 10.03.12024-07-03
CVE-2024-29511 [HIGH] CWE-489 CVE-2024-29511: Artifex Ghostscript before 10.03.1, when Tesseract is used for OCR, has a directory traversal issue
Artifex Ghostscript before 10.03.1, when Tesseract is used for OCR, has a directory traversal issue that allows arbitrary file reading (and writing of error messages to arbitrary files) via OCRLanguage. For example, exploitation can use debug_file /tmp/out and user_patterns_file /etc/passwd.
nvdosv
CVE-2009-4897P3CRITICALCVSS 9.3≥ 0, < 8.70~dfsg-12010-07-22
CVE-2009-4897 [CRITICAL] CVE-2009-4897: Buffer overflow in gs/psi/iscan
Buffer overflow in gs/psi/iscan.c in Ghostscript 8.64 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted PDF document containing a long name.
osv
CVE-2024-29509P3HIGHCVSS 8.8fixed in 10.03.02024-07-03
CVE-2024-29509 [HIGH] CWE-787 CVE-2024-29509: Artifex Ghostscript before 10.03.0 has a heap-based overflow when PDFPassword (e.g., for runpdf) has
Artifex Ghostscript before 10.03.0 has a heap-based overflow when PDFPassword (e.g., for runpdf) has a \000 byte in the middle.
nvdosv
CVE-2018-19477P3HIGHCVSS 7.8fixed in 9.262018-11-23
CVE-2018-19477 [HIGH] CWE-704 CVE-2018-19477: psi/zfjbig2.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access r
psi/zfjbig2.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because of a JBIG2Decode type confusion.
nvdosv
CVE-2018-19476P3HIGHCVSS 7.8fixed in 9.262018-11-23
CVE-2018-19476 [HIGH] CWE-704 CVE-2018-19476: psi/zicc.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access rest
psi/zicc.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because of a setcolorspace type confusion.
nvdosv
CVE-2019-14812P3HIGHCVSS 7.8≥ 9.00, < 9.502019-11-27
CVE-2019-14812 [HIGH] CWE-648 CVE-2019-14812: A flaw was found in all ghostscript versions 9.x before 9.50, in the .setuserparams2 procedure where
A flaw was found in all ghostscript versions 9.x before 9.50, in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.
nvdosv
CVE-2019-14817P3HIGHCVSS 7.8fixed in 9.502019-09-03
CVE-2019-14817 [HIGH] CWE-648 CVE-2019-14817: A flaw was found in, ghostscript versions prior to 9.50, in the .pdfexectoken and other procedures w
A flaw was found in, ghostscript versions prior to 9.50, in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.
nvdosv