CVE-2019-3838

Опубликовано: 25 мар. 2019

Источник: nvd

CVSS3: 7.3

CVSS3: 5.5

CVSS2: 4.3

EPSS Низкий

Описание

It was found that the forceput operator could be extracted from the DefineResource method in ghostscript before 9.27. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER.

Ссылки

http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00011.html
Mailing List
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00018.html
Mailing List
Third Party Advisory
http://packetstormsecurity.com/files/152367/Slackware-Security-Advisory-ghostscript-Updates.html
Third Party Advisory
VDB Entry
https://access.redhat.com/errata/RHSA-2019:0652
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0971
Third Party Advisory
https://bugs.ghostscript.com/show_bug.cgi?id=700576
Issue Tracking
Patch
Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3838
Issue Tracking
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/04/msg00021.html
Mailing List
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A43SRQAEHQCKSEMIBINHUNIGHTDCZD7F/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ANBSCZABXQUEQWIKNWJ35IYX24M227EI/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVERLGEU3OV6RNZ2SIBXREWD3BF5H23N/
https://seclists.org/bugtraq/2019/Apr/28
Mailing List
Third Party Advisory
https://seclists.org/bugtraq/2019/Apr/4
Mailing List
Third Party Advisory
https://security.gentoo.org/glsa/202004-03
Third Party Advisory
https://www.debian.org/security/2019/dsa-4432
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00011.html
Mailing List
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00018.html
Mailing List
Third Party Advisory
http://packetstormsecurity.com/files/152367/Slackware-Security-Advisory-ghostscript-Updates.html
Third Party Advisory
VDB Entry
https://access.redhat.com/errata/RHSA-2019:0652
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0971
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:artifex:ghostscript:*:*:*:*:*:*:*:*

Версия до 9.27 (исключая)

Конфигурация 2

Одно из

cpe:2.3:a:redhat:ansible_tower:3.3:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:5.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*

Конфигурация 3

Одно из

cpe:2.3:o:fedoraproject:fedora:28:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*

Конфигурация 4

Одно из

cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*

cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*

Конфигурация 5

Одно из

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

EPSS

Процентиль: 76%

0.01038

Низкий

7.3 High

CVSS3

5.5 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-648

NVD-CWE-Other

Связанные уязвимости

CVE-2019-3838

CVSS3: 5.5

ubuntu

больше 6 лет назад

CVE-2019-3838

CVSS3: 7.3

redhat

больше 6 лет назад

CVE-2019-3838

CVSS3: 5.5

debian

больше 6 лет назад

It was found that the forceput operator could be extracted from the De ...

openSUSE-SU-2019:1121-1

suse-cvrf

больше 6 лет назад

Security update for ghostscript

openSUSE-SU-2019:1119-1

suse-cvrf

больше 6 лет назад

Security update for ghostscript

EPSS

Процентиль: 76%

0.01038

Низкий

7.3 High

CVSS3

5.5 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-648

NVD-CWE-Other