CVE-2024-33871

Published: Jul 3, 2024Modified: Apr 16, 2025

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

An issue was discovered in Artifex Ghostscript before 10.03.1. contrib/opvp/gdevopvp.c allows arbitrary code execution via a custom Driver library, exploitable via a crafted PostScript document. This occurs because the Driver parameter for opvp (and oprp) devices can have an arbitrary name for a dynamic library; this library is then loaded.

Affected (1)

Products: Artifex: Ghostscript

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Artifex Ghostscript	Before 10.03.1

Related CWEs

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (6)

https://bugs.ghostscript.com/show_bug.cgi?id=707754

Source: cve@mitre.org

Issue Tracking

https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=7145885041bb52cc23964f0aa2aec1b1c82b5908

Source: cve@mitre.org

Patch

https://www.openwall.com/lists/oss-security/2024/06/28/2

Source: cve@mitre.org

Mailing List

https://bugs.ghostscript.com/show_bug.cgi?id=707754

Source: af854a3a-2127-422b-91ae-364da2661108

Issue Tracking

https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=7145885041bb52cc23964f0aa2aec1b1c82b5908

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://www.openwall.com/lists/oss-security/2024/06/28/2

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List

Timeline

No history available yet.