Heap-Based Pointer Disclosure in Ghostscript Before 10.03.0
CVE-2024-29508

3.3LOW

Key Information:

Vendor: Artifex
Status: Ghostscript
Vendor: CVE Published:; 3 July 2024

Summary

A vulnerability identified in Artifex Ghostscript prior to version 10.03.0 involves a heap-based pointer disclosure originating from the pdf_base_font_alloc function. This flaw may lead to unwanted information being exposed in constructed BaseFont names, potentially allowing an attacker to glean sensitive memory addresses. This can escalate to more severe security risks, affecting the confidentiality and integrity of the system. Users of Ghostscript should upgrade to the latest version to mitigate this vulnerability and safeguard against possible exploitation.

References

https://bugs.ghostscript.com/show_bug.cgi?id=707510

https://git.ghostscript.com/?p=ghostpdl.git%3Bh=ff1013a0a...

https://www.openwall.com/lists/oss-security/2024/07/03/7

CVSS V3.1

Score:

3.3

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 3, 2024