CVE-2019-14869
15.11.2019, 12:15
A flaw was found in all versions of ghostscript 9.x before 9.50, where the `.charkeys` procedure, where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An attacker could abuse this flaw by creating a specially crafted PostScript file that could escalate privileges within the Ghostscript and access files outside of restricted areas or execute commands.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| artifex | ghostscript | 9.00 ≤ 𝑥 < 9.50 |
| opensuse | leap | 15.0 |
| opensuse | leap | 15.1 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
openSUSE / SLES Releases
openSUSE Product | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ghostscript |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| ghostscript-devel |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| ghostscript-x11 |
|
Red Hat Enterprise Linux Releases
Red Hat Product | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| ghostscript |
| ||||||||||
| ghostscript-cups |
| ||||||||||
| ghostscript-doc |
| ||||||||||
| ghostscript-gtk |
| ||||||||||
| ghostscript-tools-dvipdf |
| ||||||||||
| ghostscript-tools-fonts |
| ||||||||||
| ghostscript-tools-printing |
| ||||||||||
| ghostscript-x11 |
| ||||||||||
| libgs |
| ||||||||||
| libgs-devel |
|
Common Weakness Enumeration
- CWE-648 - Incorrect Use of Privileged APIsThe application does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.
- CWE-732 - Incorrect Permission Assignment for Critical ResourceThe product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
References