CVE-2019-14812
27.11.2019, 14:15
A flaw was found in all ghostscript versions 9.x before 9.50, in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.Enginsight
| Vendor | Product | Version |
|---|---|---|
| artifex | ghostscript | 9.00 ≤ 𝑥 < 9.50 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Common Weakness Enumeration
- CWE-648 - Incorrect Use of Privileged APIsThe application does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.
- CWE-732 - Incorrect Permission Assignment for Critical ResourceThe product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
References