Ghostscript Vulnerability Allows for Out-of-Bounds Write and Use-After-Free in PDF Processing
CVE-2020-36773

9.8CRITICAL

Key Information:

Vendor: Artifex
Status: Ghostscript
Vendor: CVE Published:; 4 February 2024

What is CVE-2020-36773?

Artifex Ghostscript, a widely used software suite for processing PDF and PostScript, contains a vulnerability that allows for an out-of-bounds write and a use-after-free condition. This issue arises from the handling of characters in PDF documents, where a single character can correspond to multiple Unicode code points, such as in the case of ligatures. As a result, this vulnerability can be exploited during the rendering process, leading to potential data corruption and unauthorized access to sensitive information.

References

https://bugs.ghostscript.com/show_bug.cgi?id=702229

https://git.ghostscript.com/?p=ghostpdl.git%3Ba=commit%3B...

https://bugzilla.opensuse.org/show_bug.cgi?id=1177922

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 4, 2024
Vulnerability Reserved
Feb 4, 2024