Integer Overflow in Ghostscript Could Lead to Path Truncation and Code Execution
CVE-2024-46953

7.8HIGH

Key Information:

Vendor: Artifex
Status: Ghostscript
Vendor: CVE Published:; 10 November 2024

Summary

An integer overflow vulnerability has been identified in the Ghostscript image processing tool, specifically in the base/gsdevice.c file, prior to version 10.04.0. This flaw occurs during the parsing of the filename format string used for output file names, leading to potential truncation of file paths. As a consequence, attackers may exploit this vulnerability to execute arbitrary code or perform unauthorized path traversal operations. It is crucial for users and administrators of affected versions to implement timely updates and patches to mitigate potential risks associated with this vulnerability.

References

https://bugs.ghostscript.com/show_bug.cgi?id=707793

https://github.com/ArtifexSoftware/ghostpdl/blob/master/d...

https://www.suse.com/support/update/announcement/2024/sus...

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Nov 10, 2024
Vulnerability Reserved
Sep 16, 2024