CVE-2019-14812

A flaw was found in all ghostscript versions 9.x before 9.50, in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.
Configurations

Configuration 1 (hide)

cpe:2.3:a:artifex:ghostscript:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*

History

07 Nov 2023, 03:05

Type Values Removed Values Added
References
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LBUC4DBBJTRFNCR3IODBV4IXB2C2HI3V/', 'name': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LBUC4DBBJTRFNCR3IODBV4IXB2C2HI3V/', 'tags': ['Third Party Advisory'], 'refsource': 'CONFIRM'}
  • {'url': 'http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=885444fcbe10dc42787ecb76686c8ee4dd33bf33', 'name': 'http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=885444fcbe10dc42787ecb76686c8ee4dd33bf33', 'tags': ['Mailing List', 'Patch', 'Vendor Advisory'], 'refsource': 'CONFIRM'}
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBUC4DBBJTRFNCR3IODBV4IXB2C2HI3V/ -
  • () http://git.ghostscript.com/?p=ghostpdl.git%3Ba=commitdiff%3Bh=885444fcbe10dc42787ecb76686c8ee4dd33bf33 -

Information

Published : 2019-11-27 14:15

Updated : 2023-12-10 13:13


NVD link : CVE-2019-14812

Mitre link : CVE-2019-14812

CVE.ORG link : CVE-2019-14812


JSON object : View

Products Affected

artifex

  • ghostscript

fedoraproject

  • fedora
CWE
CWE-732

Incorrect Permission Assignment for Critical Resource

CWE-648

Incorrect Use of Privileged APIs