CVE-2019-14813
06.09.2019, 14:15
A flaw was found in ghostscript, versions 9.x before 9.50, in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| artifex | ghostscript | 9.00 ≤ 𝑥 ≤ 9.50 |
| redhat | openshift_container_platform | 3.11 |
| redhat | openshift_container_platform | 4.1 |
| redhat | enterprise_linux | 7.0 |
| redhat | enterprise_linux | 8.0 |
| redhat | enterprise_linux_desktop | 7.0 |
| redhat | enterprise_linux_server | 7.0 |
| redhat | enterprise_linux_server_aus | 7.7 |
| redhat | enterprise_linux_server_eus | 7.7 |
| redhat | enterprise_linux_server_tus | 7.7 |
| redhat | enterprise_linux_workstation | 7.0 |
| opensuse | leap | 15.0 |
| opensuse | leap | 15.1 |
| debian | debian_linux | 8.0 |
| debian | debian_linux | 9.0 |
| debian | debian_linux | 10.0 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
openSUSE / SLES Releases
openSUSE Product | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ghostscript |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| ghostscript-devel |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| ghostscript-x11 |
|
Red Hat Enterprise Linux Releases
Red Hat Product | |||||||
|---|---|---|---|---|---|---|---|
| ghostscript |
| ||||||
| ghostscript-cups |
| ||||||
| ghostscript-doc |
| ||||||
| ghostscript-gtk |
| ||||||
| ghostscript-tools-dvipdf |
| ||||||
| ghostscript-tools-fonts |
| ||||||
| ghostscript-tools-printing |
| ||||||
| ghostscript-x11 |
| ||||||
| libgs |
| ||||||
| libgs-devel |
|
Common Weakness Enumeration
- CWE-648 - Incorrect Use of Privileged APIsThe application does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.
- CWE-863 - Incorrect AuthorizationThe software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.
References