7.8
CVE-2019-14812
- EPSS 2.47%
- Veröffentlicht 27.11.2019 14:15:11
- Zuletzt bearbeitet 21.11.2024 04:27:24
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
A flaw was found in all ghostscript versions 9.x before 9.50, in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Artifex ≫ Ghostscript Version >= 9.00 < 9.50
Fedoraproject ≫ Fedora Version31
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 2.47% | 0.824 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 6.8 | 8.6 | 6.4 |
AV:N/AC:M/Au:N/C:P/I:P/A:P
|
| secalert@redhat.com | 7.3 | 3.9 | 3.4 |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
|
CWE-648 Incorrect Use of Privileged APIs
The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.
CWE-732 Incorrect Permission Assignment for Critical Resource
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
https://security.gentoo.org/glsa/202004-03
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBUC4DBBJTRFNCR3IODBV4IXB2C2HI3V/
http://git.ghostscript.com/?p=ghostpdl.git%3Ba=commitdiff%3Bh=885444fcbe10dc42787ecb76686c8ee4dd33bf33
https://access.redhat.com/security/cve/cve-2019-14812
https://bugs.ghostscript.com/show_bug.cgi?id=701444
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14812