CVE-2019-3838

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

It was found that the forceput operator could be extracted from the DefineResource method in ghostscript before 9.27. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER.

References

http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00011.html

http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00018.html

http://packetstormsecurity.com/files/152367/Slackware-Security-Advisory-ghostscript-Updates.html

https://access.redhat.com/errata/RHSA-2019:0652

https://access.redhat.com/errata/RHSA-2019:0971

https://bugs.ghostscript.com/show_bug.cgi?id=700576

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3838

https://lists.debian.org/debian-lts-announce/2019/04/msg00021.html

https://lists.fedoraproject.org/archives/list/[email protected]/message/A43SRQAEHQCKSEMIBINHUNIGHTDCZD7F/

https://lists.fedoraproject.org/archives/list/[email protected]/message/ANBSCZABXQUEQWIKNWJ35IYX24M227EI/

https://lists.fedoraproject.org/archives/list/[email protected]/message/SVERLGEU3OV6RNZ2SIBXREWD3BF5H23N/

https://seclists.org/bugtraq/2019/Apr/28

https://seclists.org/bugtraq/2019/Apr/4

https://security.gentoo.org/glsa/202004-03

https://www.debian.org/security/2019/dsa-4432

Details

Source: MITRE

Published: 2019-03-25

Updated: 2020-10-15

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3

Base Score: 5.5

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Impact Score: 3.6

Exploitability Score: 1.8

Severity: MEDIUM

Tenable Plugins

View all (30 total)

IDNameProductFamilySeverity
150529SUSE SLES11 : Recommended update for ghostscript-library (SUSE-SU-2019:14155-1)NessusSuSE Local Security Checks
medium
146633Amazon Linux 2 : ghostscript (ALAS-2021-1598)NessusAmazon Linux Local Security Checks
critical
145662CentOS 8 : ghostscript (CESA-2019:0971)NessusCentOS Local Security Checks
high
135114GLSA-202004-03 : GPL Ghostscript: Multiple vulnerabilitiesNessusGentoo Local Security Checks
critical
127568Oracle Linux 8 : ghostscript (ELSA-2019-0971)NessusOracle Linux Local Security Checks
high
127274NewStart CGSL CORE 5.04 / MAIN 5.04 : ghostscript Multiple Vulnerabilities (NS-SA-2019-0071)NessusNewStart CGSL Local Security Checks
medium
125565EulerOS Virtualization for ARM 64 3.0.2.0 : ghostscript (EulerOS-SA-2019-1613)NessusHuawei Local Security Checks
high
124968EulerOS Virtualization 3.0.1.0 : ghostscript (EulerOS-SA-2019-1465)NessusHuawei Local Security Checks
medium
124742EulerOS Virtualization 2.5.3 : ghostscript (EulerOS-SA-2019-1364)NessusHuawei Local Security Checks
medium
124664RHEL 8 : ghostscript (RHSA-2019:0971)NessusRed Hat Local Security Checks
high
124543Fedora 30 : ghostscript (2019-d5d9cfd359)NessusFedora Local Security Checks
medium
124386EulerOS 2.0 SP5 : ghostscript (EulerOS-SA-2019-1290)NessusHuawei Local Security Checks
medium
124385EulerOS 2.0 SP3 : ghostscript (EulerOS-SA-2019-1289)NessusHuawei Local Security Checks
medium
124384EulerOS 2.0 SP2 : ghostscript (EulerOS-SA-2019-1288)NessusHuawei Local Security Checks
medium
124243Debian DLA-1761-1 : ghostscript security updateNessusDebian Local Security Checks
medium
124209FreeBSD : Ghostscript -- Security bypass vulnerability (5ed7102e-6454-11e9-9a3a-001cc0382b2f)NessusFreeBSD Local Security Checks
medium
124095Debian DSA-4432-1 : ghostscript - security updateNessusDebian Local Security Checks
medium
123763Fedora 28 : ghostscript (2019-9f28451404)NessusFedora Local Security Checks
medium
123683Virtuozzo 7 : ghostscript / ghostscript-cups / ghostscript-devel / etc (VZLSA-2019-0633)NessusVirtuozzo Local Security Checks
medium
123668openSUSE Security Update : ghostscript (openSUSE-2019-1121)NessusSuSE Local Security Checks
medium
123666openSUSE Security Update : ghostscript (openSUSE-2019-1119)NessusSuSE Local Security Checks
medium
123649Slackware 14.2 / current : ghostscript (SSA:2019-092-01)NessusSlackware Local Security Checks
high
123534Fedora 29 : ghostscript (2019-1a2c059afd)NessusFedora Local Security Checks
medium
123092CentOS 7 : ghostscript (CESA-2019:0633)NessusCentOS Local Security Checks
medium
123075Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : Ghostscript vulnerabilities (USN-3915-1)NessusUbuntu Local Security Checks
medium
123070SUSE SLED12 / SLES12 Security Update : ghostscript (SUSE-SU-2019:0719-1)NessusSuSE Local Security Checks
medium
123069SUSE SLED15 / SLES15 Security Update : ghostscript (SUSE-SU-2019:0718-1)NessusSuSE Local Security Checks
medium
123058Scientific Linux Security Update : ghostscript on SL7.x x86_64 (20190321)NessusScientific Linux Local Security Checks
medium
123056RHEL 7 : ghostscript (RHSA-2019:0633)NessusRed Hat Local Security Checks
medium
123055Oracle Linux 7 : ghostscript (ELSA-2019-0633)NessusOracle Linux Local Security Checks
medium