CVE-2019-14811

Advisory lineage Upstream: 0 Downstream: 14
Modified
Published: 03 Sept 2019, 15:17
Last modified:05 Aug 2024, 00:26

Vulnerability Summary

Overall Risk (default)
medium
41/100
CVSS Score
7.8 HIGH
v3.1 (nvd)
EPSS Score
0.7% LOW
1% probability -1.03%
KEV
Not listed
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected

Timeline

03 Sept 2019, 15:17
Published
Vulnerability first disclosed
05 Aug 2024, 00:26
Last Modified
Vulnerability information updated

Description

A flaw was found in, ghostscript versions prior to 9.50, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.

CVSS Metrics

  • v3.1HIGHScore: 7.8CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • v3.0HIGHScore: 7.3CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
  • v2.0MEDIUMScore: 6.8AV:N/AC:M/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 0.70% Percentile: 72%

Techniques & Countermeasures

  • CWE-863Incorrect Authorization

    The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

  • CWE-648Incorrect Use of Privileged APIs

    The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.

Affected Systems

  • artifex softwareghostscript

    ghostscript versions prior to 9.28

  • UnknownGhostscript

    < 9.50

  • debiandebian_linux

    8.0 | 9.0 | 10.0

  • fedoraprojectfedora

    29 | 30 | 31

  • opensuseleap

    15.0 | 15.1

  • redhatopenshift_container_platform

    3.11 | 4.1

References (12)