SB2019052335 - Information disclosure in Ghostscript

Description

This security bulletin contains information about 1 vulnerability.

1) Information disclosure (CVE-ID: CVE-2017-15652)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Artifex Ghostscript 9.22 is affected by: Obtain Information. The impact is: obtain sensitive information. The component is: affected source code file, affected function, affected executable, affected libga (imagemagick used that). The attack vector is: Someone must open a postscript file though ghostscript. Because of imagemagick also use libga, so it was affected as well.

Remediation

Install update from vendor's website.

References

• http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2fc463d0e
• http://www.securityfocus.com/bid/108463
• https://bugs.ghostscript.com/show_bug.cgi?id=698676