Possible Unicode Encoding Error Leads to Directory Traversal
CVE-2024-46954

7.8HIGH

Key Information:

Vendor: Artifex
Status: Ghostscript
Vendor: CVE Published:; 10 November 2024

Summary

An issue found in the decode_utf8 function within base/gp_utf8.c of Artifex Ghostscript prior to version 10.04.0 presents a vulnerability where overlong UTF-8 encoding could lead to directory traversal. This flaw might allow attackers to exploit the file system, potentially granting them access to sensitive directories outside the intended file structure. Proper validation and error handling for UTF-8 data are critical to mitigate this risk and ensure secure operation.

References

https://bugs.ghostscript.com/show_bug.cgi?id=707788

https://github.com/ArtifexSoftware/ghostpdl/blob/master/d...

https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.gi...

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 10, 2024
Vulnerability Reserved
Sep 16, 2024