Vulnerability identifier: #VU36726
Vulnerability risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-20
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Ghostscript
Universal components / Libraries /
Libraries used by multiple products
Vendor: Artifex Software, Inc.
Description
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
In Artifex Ghostscript before 9.24, gssetresolution and gsgetresolution allow attackers to have an unspecified impact.
Mitigation
Install update from vendor's website.
Vulnerable software versions
Ghostscript: 9.00 - 9.23
External links
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=5b5536fa88a9e885032bc0df3852c3439399a5c0
http://bugs.ghostscript.com/show_bug.cgi?id=699670
http://lists.debian.org/debian-lts-announce/2018/09/msg00038.html
http://security.gentoo.org/glsa/201811-12
http://usn.ubuntu.com/3768-1/
http://www.debian.org/security/2018/dsa-4288
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.