Vulnerability Details CVE-2019-14813
A flaw was found in ghostscript, versions 9.x before 9.50, in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.14
EPSS Ranking 93.9%
CVSS Severity
CVSS v3 Score 7.3
CVSS v2 Score 7.5
References
- http://git.ghostscript.com/?p=ghostpdl.git%3Ba=commitdiff%3Bh=885444fcbe10dc42787ecb76686c8ee4dd33bf33
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00088.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00090.html
- https://access.redhat.com/errata/RHBA-2019:2824
- https://access.redhat.com/errata/RHSA-2019:2594
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14813
- https://lists.debian.org/debian-lts-announce/2019/09/msg00007.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6AATIHU32MYKUOXQDJQU4X4DDVL7NAY3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBUC4DBBJTRFNCR3IODBV4IXB2C2HI3V/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZP34D27RKYV2POJ3NJLSVCHUA5V5C45A/
- https://seclists.org/bugtraq/2019/Sep/15
- https://security.gentoo.org/glsa/202004-03
- https://www.debian.org/security/2019/dsa-4518
- http://git.ghostscript.com/?p=ghostpdl.git%3Ba=commitdiff%3Bh=885444fcbe10dc42787ecb76686c8ee4dd33bf33
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00088.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00090.html
- https://access.redhat.com/errata/RHBA-2019:2824
- https://access.redhat.com/errata/RHSA-2019:2594
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14813
- https://lists.debian.org/debian-lts-announce/2019/09/msg00007.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6AATIHU32MYKUOXQDJQU4X4DDVL7NAY3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBUC4DBBJTRFNCR3IODBV4IXB2C2HI3V/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZP34D27RKYV2POJ3NJLSVCHUA5V5C45A/
- https://seclists.org/bugtraq/2019/Sep/15
- https://security.gentoo.org/glsa/202004-03
- https://www.debian.org/security/2019/dsa-4518
Products affected by CVE-2019-14813
-
cpe:2.3:a:artifex:ghostscript:9.00
-
cpe:2.3:a:artifex:ghostscript:9.01
-
cpe:2.3:a:artifex:ghostscript:9.02
-
cpe:2.3:a:artifex:ghostscript:9.04
-
cpe:2.3:a:artifex:ghostscript:9.05
-
cpe:2.3:a:artifex:ghostscript:9.06
-
cpe:2.3:a:artifex:ghostscript:9.07
-
cpe:2.3:a:artifex:ghostscript:9.09
-
cpe:2.3:a:artifex:ghostscript:9.10
-
cpe:2.3:a:artifex:ghostscript:9.14
-
cpe:2.3:a:artifex:ghostscript:9.15
-
cpe:2.3:a:artifex:ghostscript:9.16
-
cpe:2.3:a:artifex:ghostscript:9.18
-
cpe:2.3:a:artifex:ghostscript:9.19
-
cpe:2.3:a:artifex:ghostscript:9.20
-
cpe:2.3:a:artifex:ghostscript:9.21
-
cpe:2.3:a:artifex:ghostscript:9.22
-
cpe:2.3:a:artifex:ghostscript:9.23
-
cpe:2.3:a:artifex:ghostscript:9.24
-
cpe:2.3:a:artifex:ghostscript:9.25
-
cpe:2.3:a:artifex:ghostscript:9.26
-
cpe:2.3:a:artifex:ghostscript:9.27
-
cpe:2.3:a:artifex:ghostscript:9.28
-
cpe:2.3:a:artifex:ghostscript:9.50
-
cpe:2.3:a:redhat:openshift_container_platform:3.11
-
cpe:2.3:a:redhat:openshift_container_platform:4.1
-
cpe:2.3:o:debian:debian_linux:10.0
-
cpe:2.3:o:debian:debian_linux:8.0
-
cpe:2.3:o:debian:debian_linux:9.0
-
cpe:2.3:o:fedoraproject:fedora:29
-
cpe:2.3:o:fedoraproject:fedora:30
-
cpe:2.3:o:fedoraproject:fedora:31
-
cpe:2.3:o:opensuse:leap:15.0
-
cpe:2.3:o:opensuse:leap:15.1
-
cpe:2.3:o:redhat:enterprise_linux:7.0
-
cpe:2.3:o:redhat:enterprise_linux:8.0
-
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0
-
cpe:2.3:o:redhat:enterprise_linux_server:7.0
-
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7
-
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.7
-
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7
-
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0