#VU36726 Input validation error in Ghostscript


Published: 2018-09-05 | Updated: 2020-08-08

Vulnerability identifier: #VU36726

Vulnerability risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-16543

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Ghostscript
Universal components / Libraries / Libraries used by multiple products

Vendor: Artifex Software, Inc.

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

In Artifex Ghostscript before 9.24, gssetresolution and gsgetresolution allow attackers to have an unspecified impact.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Ghostscript: 9.00 - 9.23

External links
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=5b5536fa88a9e885032bc0df3852c3439399a5c0
http://bugs.ghostscript.com/show_bug.cgi?id=699670
http://lists.debian.org/debian-lts-announce/2018/09/msg00038.html
http://security.gentoo.org/glsa/201811-12
http://usn.ubuntu.com/3768-1/
http://www.debian.org/security/2018/dsa-4288

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Input validation error in Ghostscript