CVE-2019-14817

Published: Sep 3, 2019Modified: Nov 21, 2024

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

A flaw was found in, ghostscript versions prior to 9.50, in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.

Affected (11)

Products: Artifex: Ghostscript · Redhat: Openshift Container Platform · Opensuse: Leap · +2 more

Show all products

Artifex: Ghostscript · Redhat: Openshift Container Platform · Opensuse: Leap · Fedoraproject: Fedora · Debian: Debian Linux

1 product

1 product

Openshift Container Platform

1 product

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Artifex Ghostscript	Before 9.50

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Redhat Openshift Container Platform	Version 3.11
Redhat Openshift Container Platform	Version 4.1

Configuration C

2 vulnerable

Vulnerable Software	Affected Versions
Opensuse Leap	Version 15.0
Opensuse Leap	Version 15.1

Configuration D

3 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 29
Fedoraproject Fedora	Version 30
Fedoraproject Fedora	Version 31

Configuration E

3 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 8.0
Debian Debian Linux	Version 9.0

Related CWEs

Incorrect Use of Privileged APIs

The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (26)

http://git.ghostscript.com/?p=ghostpdl.git%3Ba=commitdiff%3Bh=cd1b1cacadac2479e291efe611979bdc1b3bdb19

Source: secalert@redhat.com

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00088.html

Source: secalert@redhat.com

Mailing ListThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00090.html

Source: secalert@redhat.com

Mailing ListThird Party Advisory

https://access.redhat.com/errata/RHBA-2019:2824

Source: secalert@redhat.com

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:2594

Source: secalert@redhat.com

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14817

Source: secalert@redhat.com

ExploitIssue TrackingThird Party Advisory

https://lists.debian.org/debian-lts-announce/2019/09/msg00007.html

Source: secalert@redhat.com

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6AATIHU32MYKUOXQDJQU4X4DDVL7NAY3/

Source: secalert@redhat.com

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBUC4DBBJTRFNCR3IODBV4IXB2C2HI3V/

Source: secalert@redhat.com

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZP34D27RKYV2POJ3NJLSVCHUA5V5C45A/

Source: secalert@redhat.com

https://seclists.org/bugtraq/2019/Sep/15

Source: secalert@redhat.com

Mailing ListThird Party Advisory

https://security.gentoo.org/glsa/202004-03

Source: secalert@redhat.com

Third Party Advisory

https://www.debian.org/security/2019/dsa-4518

Source: secalert@redhat.com

Third Party Advisory

http://git.ghostscript.com/?p=ghostpdl.git%3Ba=commitdiff%3Bh=cd1b1cacadac2479e291efe611979bdc1b3bdb19

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00088.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00090.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://access.redhat.com/errata/RHBA-2019:2824

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:2594

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14817

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingThird Party Advisory

https://lists.debian.org/debian-lts-announce/2019/09/msg00007.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6AATIHU32MYKUOXQDJQU4X4DDVL7NAY3/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBUC4DBBJTRFNCR3IODBV4IXB2C2HI3V/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZP34D27RKYV2POJ3NJLSVCHUA5V5C45A/

Source: af854a3a-2127-422b-91ae-364da2661108

https://seclists.org/bugtraq/2019/Sep/15

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://security.gentoo.org/glsa/202004-03

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.debian.org/security/2019/dsa-4518

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.