csaf_opensuse - opensuse-su-2019:2222-1

opensuse-su-2019:2222-1

Vulnerability from csaf_opensuse

Published

2019-09-30 14:22

Modified

2019-09-30 14:22

Summary

Security update for ghostscript

Notes

Title of the patch

Security update for ghostscript

Description of the patch

This update for ghostscript fixes the following issues: Security issues fixed: - CVE-2019-3835: Fixed an unauthorized file system access caused by an available superexec operator. (bsc#1129180) - CVE-2019-3839: Fixed an unauthorized file system access caused by available privileged operators. (bsc#1134156) - CVE-2019-12973: Fixed a denial-of-service vulnerability in the OpenJPEG function opj_t1_encode_cblks. (bsc#1140359) - CVE-2019-14811: Fixed a safer mode bypass by .forceput exposure in .pdf_hook_DSC_Creator. (bsc#1146882) - CVE-2019-14812: Fixed a safer mode bypass by .forceput exposure in setuserparams. (bsc#1146882) - CVE-2019-14813: Fixed a safer mode bypass by .forceput exposure in setsystemparams. (bsc#1146882) - CVE-2019-14817: Fixed a safer mode bypass by .forceput exposure in .pdfexectoken and other procedures. (bsc#1146884) This update was imported from the SUSE:SLE-15:Update update project.

Patchnames

openSUSE-2019-2222

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for ghostscript",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for ghostscript fixes the following issues:\n\nSecurity issues fixed:\n\n- CVE-2019-3835: Fixed an unauthorized file system access caused by an available superexec operator. (bsc#1129180)\n- CVE-2019-3839: Fixed an unauthorized file system access caused by available privileged operators. (bsc#1134156)\n- CVE-2019-12973: Fixed a denial-of-service vulnerability in the OpenJPEG function opj_t1_encode_cblks. (bsc#1140359)\n- CVE-2019-14811: Fixed a safer mode bypass by .forceput exposure in .pdf_hook_DSC_Creator. (bsc#1146882)\n- CVE-2019-14812: Fixed a safer mode bypass by .forceput exposure in setuserparams. (bsc#1146882)\n- CVE-2019-14813: Fixed a safer mode bypass by .forceput exposure in setsystemparams. (bsc#1146882)\n- CVE-2019-14817: Fixed a safer mode bypass by .forceput exposure in .pdfexectoken and other procedures. (bsc#1146884)\n\nThis update was imported from the SUSE:SLE-15:Update update project.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-2019-2222",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2019_2222-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2019:2222-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2XOZCYLX5M5QZSG2QI4G4WPB3AVOCY4C/#2XOZCYLX5M5QZSG2QI4G4WPB3AVOCY4C"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2019:2222-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2XOZCYLX5M5QZSG2QI4G4WPB3AVOCY4C/#2XOZCYLX5M5QZSG2QI4G4WPB3AVOCY4C"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1129180",
        "url": "https://bugzilla.suse.com/1129180"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1129186",
        "url": "https://bugzilla.suse.com/1129186"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1134156",
        "url": "https://bugzilla.suse.com/1134156"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1140359",
        "url": "https://bugzilla.suse.com/1140359"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1146882",
        "url": "https://bugzilla.suse.com/1146882"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1146884",
        "url": "https://bugzilla.suse.com/1146884"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-12973 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-12973/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-14811 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-14811/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-14812 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-14812/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-14813 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-14813/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-14817 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-14817/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-3835 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-3835/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-3839 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-3839/"
      }
    ],
    "title": "Security update for ghostscript",
    "tracking": {
      "current_release_date": "2019-09-30T14:22:56Z",
      "generator": {
        "date": "2019-09-30T14:22:56Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2019:2222-1",
      "initial_release_date": "2019-09-30T14:22:56Z",
      "revision_history": [
        {
          "date": "2019-09-30T14:22:56Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ghostscript-9.27-lp150.2.23.1.i586",
                "product": {
                  "name": "ghostscript-9.27-lp150.2.23.1.i586",
                  "product_id": "ghostscript-9.27-lp150.2.23.1.i586"
                }
              },
              {
                "category": "product_version",
                "name": "ghostscript-devel-9.27-lp150.2.23.1.i586",
                "product": {
                  "name": "ghostscript-devel-9.27-lp150.2.23.1.i586",
                  "product_id": "ghostscript-devel-9.27-lp150.2.23.1.i586"
                }
              },
              {
                "category": "product_version",
                "name": "ghostscript-mini-9.27-lp150.2.23.1.i586",
                "product": {
                  "name": "ghostscript-mini-9.27-lp150.2.23.1.i586",
                  "product_id": "ghostscript-mini-9.27-lp150.2.23.1.i586"
                }
              },
              {
                "category": "product_version",
                "name": "ghostscript-mini-devel-9.27-lp150.2.23.1.i586",
                "product": {
                  "name": "ghostscript-mini-devel-9.27-lp150.2.23.1.i586",
                  "product_id": "ghostscript-mini-devel-9.27-lp150.2.23.1.i586"
                }
              },
              {
                "category": "product_version",
                "name": "ghostscript-x11-9.27-lp150.2.23.1.i586",
                "product": {
                  "name": "ghostscript-x11-9.27-lp150.2.23.1.i586",
                  "product_id": "ghostscript-x11-9.27-lp150.2.23.1.i586"
                }
              }
            ],
            "category": "architecture",
            "name": "i586"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ghostscript-9.27-lp150.2.23.1.x86_64",
                "product": {
                  "name": "ghostscript-9.27-lp150.2.23.1.x86_64",
                  "product_id": "ghostscript-9.27-lp150.2.23.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "ghostscript-devel-9.27-lp150.2.23.1.x86_64",
                "product": {
                  "name": "ghostscript-devel-9.27-lp150.2.23.1.x86_64",
                  "product_id": "ghostscript-devel-9.27-lp150.2.23.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "ghostscript-mini-9.27-lp150.2.23.1.x86_64",
                "product": {
                  "name": "ghostscript-mini-9.27-lp150.2.23.1.x86_64",
                  "product_id": "ghostscript-mini-9.27-lp150.2.23.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "ghostscript-mini-devel-9.27-lp150.2.23.1.x86_64",
                "product": {
                  "name": "ghostscript-mini-devel-9.27-lp150.2.23.1.x86_64",
                  "product_id": "ghostscript-mini-devel-9.27-lp150.2.23.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "ghostscript-x11-9.27-lp150.2.23.1.x86_64",
                "product": {
                  "name": "ghostscript-x11-9.27-lp150.2.23.1.x86_64",
                  "product_id": "ghostscript-x11-9.27-lp150.2.23.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.0",
                "product": {
                  "name": "openSUSE Leap 15.0",
                  "product_id": "openSUSE Leap 15.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.0"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ghostscript-9.27-lp150.2.23.1.i586 as component of openSUSE Leap 15.0",
          "product_id": "openSUSE Leap 15.0:ghostscript-9.27-lp150.2.23.1.i586"
        },
        "product_reference": "ghostscript-9.27-lp150.2.23.1.i586",
        "relates_to_product_reference": "openSUSE Leap 15.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ghostscript-9.27-lp150.2.23.1.x86_64 as component of openSUSE Leap 15.0",
          "product_id": "openSUSE Leap 15.0:ghostscript-9.27-lp150.2.23.1.x86_64"
        },
        "product_reference": "ghostscript-9.27-lp150.2.23.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ghostscript-devel-9.27-lp150.2.23.1.i586 as component of openSUSE Leap 15.0",
          "product_id": "openSUSE Leap 15.0:ghostscript-devel-9.27-lp150.2.23.1.i586"
        },
        "product_reference": "ghostscript-devel-9.27-lp150.2.23.1.i586",
        "relates_to_product_reference": "openSUSE Leap 15.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ghostscript-devel-9.27-lp150.2.23.1.x86_64 as component of openSUSE Leap 15.0",
          "product_id": "openSUSE Leap 15.0:ghostscript-devel-9.27-lp150.2.23.1.x86_64"
        },
        "product_reference": "ghostscript-devel-9.27-lp150.2.23.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ghostscript-mini-9.27-lp150.2.23.1.i586 as component of openSUSE Leap 15.0",
          "product_id": "openSUSE Leap 15.0:ghostscript-mini-9.27-lp150.2.23.1.i586"
        },
        "product_reference": "ghostscript-mini-9.27-lp150.2.23.1.i586",
        "relates_to_product_reference": "openSUSE Leap 15.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ghostscript-mini-9.27-lp150.2.23.1.x86_64 as component of openSUSE Leap 15.0",
          "product_id": "openSUSE Leap 15.0:ghostscript-mini-9.27-lp150.2.23.1.x86_64"
        },
        "product_reference": "ghostscript-mini-9.27-lp150.2.23.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ghostscript-mini-devel-9.27-lp150.2.23.1.i586 as component of openSUSE Leap 15.0",
          "product_id": "openSUSE Leap 15.0:ghostscript-mini-devel-9.27-lp150.2.23.1.i586"
        },
        "product_reference": "ghostscript-mini-devel-9.27-lp150.2.23.1.i586",
        "relates_to_product_reference": "openSUSE Leap 15.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ghostscript-mini-devel-9.27-lp150.2.23.1.x86_64 as component of openSUSE Leap 15.0",
          "product_id": "openSUSE Leap 15.0:ghostscript-mini-devel-9.27-lp150.2.23.1.x86_64"
        },
        "product_reference": "ghostscript-mini-devel-9.27-lp150.2.23.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ghostscript-x11-9.27-lp150.2.23.1.i586 as component of openSUSE Leap 15.0",
          "product_id": "openSUSE Leap 15.0:ghostscript-x11-9.27-lp150.2.23.1.i586"
        },
        "product_reference": "ghostscript-x11-9.27-lp150.2.23.1.i586",
        "relates_to_product_reference": "openSUSE Leap 15.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ghostscript-x11-9.27-lp150.2.23.1.x86_64 as component of openSUSE Leap 15.0",
          "product_id": "openSUSE Leap 15.0:ghostscript-x11-9.27-lp150.2.23.1.x86_64"
        },
        "product_reference": "ghostscript-x11-9.27-lp150.2.23.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2019-12973",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-12973"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In OpenJPEG 2.3.1, there is excessive iteration in the opj_t1_encode_cblks function of openjp2/t1.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted bmp file. This issue is similar to CVE-2018-6616.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.0:ghostscript-9.27-lp150.2.23.1.i586",
          "openSUSE Leap 15.0:ghostscript-9.27-lp150.2.23.1.x86_64",
          "openSUSE Leap 15.0:ghostscript-devel-9.27-lp150.2.23.1.i586",
          "openSUSE Leap 15.0:ghostscript-devel-9.27-lp150.2.23.1.x86_64",
          "openSUSE Leap 15.0:ghostscript-mini-9.27-lp150.2.23.1.i586",
          "openSUSE Leap 15.0:ghostscript-mini-9.27-lp150.2.23.1.x86_64",
          "openSUSE Leap 15.0:ghostscript-mini-devel-9.27-lp150.2.23.1.i586",
          "openSUSE Leap 15.0:ghostscript-mini-devel-9.27-lp150.2.23.1.x86_64",
          "openSUSE Leap 15.0:ghostscript-x11-9.27-lp150.2.23.1.i586",
          "openSUSE Leap 15.0:ghostscript-x11-9.27-lp150.2.23.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-12973",
          "url": "https://www.suse.com/security/cve/CVE-2019-12973"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1140359 for CVE-2019-12973",
          "url": "https://bugzilla.suse.com/1140359"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.0:ghostscript-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-devel-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-devel-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-mini-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-mini-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-mini-devel-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-mini-devel-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-x11-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-x11-9.27-lp150.2.23.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.0"
          },
          "products": [
            "openSUSE Leap 15.0:ghostscript-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-devel-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-devel-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-mini-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-mini-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-mini-devel-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-mini-devel-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-x11-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-x11-9.27-lp150.2.23.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2019-09-30T14:22:56Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2019-12973"
    },
    {
      "cve": "CVE-2019-14811",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-14811"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A flaw was found in, ghostscript versions prior to 9.50, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.0:ghostscript-9.27-lp150.2.23.1.i586",
          "openSUSE Leap 15.0:ghostscript-9.27-lp150.2.23.1.x86_64",
          "openSUSE Leap 15.0:ghostscript-devel-9.27-lp150.2.23.1.i586",
          "openSUSE Leap 15.0:ghostscript-devel-9.27-lp150.2.23.1.x86_64",
          "openSUSE Leap 15.0:ghostscript-mini-9.27-lp150.2.23.1.i586",
          "openSUSE Leap 15.0:ghostscript-mini-9.27-lp150.2.23.1.x86_64",
          "openSUSE Leap 15.0:ghostscript-mini-devel-9.27-lp150.2.23.1.i586",
          "openSUSE Leap 15.0:ghostscript-mini-devel-9.27-lp150.2.23.1.x86_64",
          "openSUSE Leap 15.0:ghostscript-x11-9.27-lp150.2.23.1.i586",
          "openSUSE Leap 15.0:ghostscript-x11-9.27-lp150.2.23.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-14811",
          "url": "https://www.suse.com/security/cve/CVE-2019-14811"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1146882 for CVE-2019-14811",
          "url": "https://bugzilla.suse.com/1146882"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.0:ghostscript-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-devel-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-devel-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-mini-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-mini-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-mini-devel-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-mini-devel-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-x11-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-x11-9.27-lp150.2.23.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          },
          "products": [
            "openSUSE Leap 15.0:ghostscript-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-devel-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-devel-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-mini-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-mini-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-mini-devel-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-mini-devel-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-x11-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-x11-9.27-lp150.2.23.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2019-09-30T14:22:56Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2019-14811"
    },
    {
      "cve": "CVE-2019-14812",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-14812"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A flaw was found in all ghostscript versions 9.x before 9.50, in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.0:ghostscript-9.27-lp150.2.23.1.i586",
          "openSUSE Leap 15.0:ghostscript-9.27-lp150.2.23.1.x86_64",
          "openSUSE Leap 15.0:ghostscript-devel-9.27-lp150.2.23.1.i586",
          "openSUSE Leap 15.0:ghostscript-devel-9.27-lp150.2.23.1.x86_64",
          "openSUSE Leap 15.0:ghostscript-mini-9.27-lp150.2.23.1.i586",
          "openSUSE Leap 15.0:ghostscript-mini-9.27-lp150.2.23.1.x86_64",
          "openSUSE Leap 15.0:ghostscript-mini-devel-9.27-lp150.2.23.1.i586",
          "openSUSE Leap 15.0:ghostscript-mini-devel-9.27-lp150.2.23.1.x86_64",
          "openSUSE Leap 15.0:ghostscript-x11-9.27-lp150.2.23.1.i586",
          "openSUSE Leap 15.0:ghostscript-x11-9.27-lp150.2.23.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-14812",
          "url": "https://www.suse.com/security/cve/CVE-2019-14812"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1146882 for CVE-2019-14812",
          "url": "https://bugzilla.suse.com/1146882"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.0:ghostscript-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-devel-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-devel-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-mini-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-mini-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-mini-devel-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-mini-devel-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-x11-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-x11-9.27-lp150.2.23.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          },
          "products": [
            "openSUSE Leap 15.0:ghostscript-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-devel-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-devel-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-mini-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-mini-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-mini-devel-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-mini-devel-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-x11-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-x11-9.27-lp150.2.23.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2019-09-30T14:22:56Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2019-14812"
    },
    {
      "cve": "CVE-2019-14813",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-14813"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A flaw was found in ghostscript, versions 9.x before 9.50, in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.0:ghostscript-9.27-lp150.2.23.1.i586",
          "openSUSE Leap 15.0:ghostscript-9.27-lp150.2.23.1.x86_64",
          "openSUSE Leap 15.0:ghostscript-devel-9.27-lp150.2.23.1.i586",
          "openSUSE Leap 15.0:ghostscript-devel-9.27-lp150.2.23.1.x86_64",
          "openSUSE Leap 15.0:ghostscript-mini-9.27-lp150.2.23.1.i586",
          "openSUSE Leap 15.0:ghostscript-mini-9.27-lp150.2.23.1.x86_64",
          "openSUSE Leap 15.0:ghostscript-mini-devel-9.27-lp150.2.23.1.i586",
          "openSUSE Leap 15.0:ghostscript-mini-devel-9.27-lp150.2.23.1.x86_64",
          "openSUSE Leap 15.0:ghostscript-x11-9.27-lp150.2.23.1.i586",
          "openSUSE Leap 15.0:ghostscript-x11-9.27-lp150.2.23.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-14813",
          "url": "https://www.suse.com/security/cve/CVE-2019-14813"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1146882 for CVE-2019-14813",
          "url": "https://bugzilla.suse.com/1146882"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.0:ghostscript-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-devel-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-devel-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-mini-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-mini-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-mini-devel-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-mini-devel-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-x11-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-x11-9.27-lp150.2.23.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          },
          "products": [
            "openSUSE Leap 15.0:ghostscript-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-devel-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-devel-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-mini-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-mini-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-mini-devel-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-mini-devel-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-x11-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-x11-9.27-lp150.2.23.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2019-09-30T14:22:56Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2019-14813"
    },
    {
      "cve": "CVE-2019-14817",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-14817"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A flaw was found in, ghostscript versions prior to 9.50, in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.0:ghostscript-9.27-lp150.2.23.1.i586",
          "openSUSE Leap 15.0:ghostscript-9.27-lp150.2.23.1.x86_64",
          "openSUSE Leap 15.0:ghostscript-devel-9.27-lp150.2.23.1.i586",
          "openSUSE Leap 15.0:ghostscript-devel-9.27-lp150.2.23.1.x86_64",
          "openSUSE Leap 15.0:ghostscript-mini-9.27-lp150.2.23.1.i586",
          "openSUSE Leap 15.0:ghostscript-mini-9.27-lp150.2.23.1.x86_64",
          "openSUSE Leap 15.0:ghostscript-mini-devel-9.27-lp150.2.23.1.i586",
          "openSUSE Leap 15.0:ghostscript-mini-devel-9.27-lp150.2.23.1.x86_64",
          "openSUSE Leap 15.0:ghostscript-x11-9.27-lp150.2.23.1.i586",
          "openSUSE Leap 15.0:ghostscript-x11-9.27-lp150.2.23.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-14817",
          "url": "https://www.suse.com/security/cve/CVE-2019-14817"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1146882 for CVE-2019-14817",
          "url": "https://bugzilla.suse.com/1146882"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1146884 for CVE-2019-14817",
          "url": "https://bugzilla.suse.com/1146884"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.0:ghostscript-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-devel-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-devel-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-mini-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-mini-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-mini-devel-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-mini-devel-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-x11-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-x11-9.27-lp150.2.23.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          },
          "products": [
            "openSUSE Leap 15.0:ghostscript-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-devel-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-devel-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-mini-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-mini-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-mini-devel-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-mini-devel-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-x11-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-x11-9.27-lp150.2.23.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2019-09-30T14:22:56Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2019-14817"
    },
    {
      "cve": "CVE-2019-3835",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-3835"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "It was found that the superexec operator was available in the internal dictionary in ghostscript before 9.27. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.0:ghostscript-9.27-lp150.2.23.1.i586",
          "openSUSE Leap 15.0:ghostscript-9.27-lp150.2.23.1.x86_64",
          "openSUSE Leap 15.0:ghostscript-devel-9.27-lp150.2.23.1.i586",
          "openSUSE Leap 15.0:ghostscript-devel-9.27-lp150.2.23.1.x86_64",
          "openSUSE Leap 15.0:ghostscript-mini-9.27-lp150.2.23.1.i586",
          "openSUSE Leap 15.0:ghostscript-mini-9.27-lp150.2.23.1.x86_64",
          "openSUSE Leap 15.0:ghostscript-mini-devel-9.27-lp150.2.23.1.i586",
          "openSUSE Leap 15.0:ghostscript-mini-devel-9.27-lp150.2.23.1.x86_64",
          "openSUSE Leap 15.0:ghostscript-x11-9.27-lp150.2.23.1.i586",
          "openSUSE Leap 15.0:ghostscript-x11-9.27-lp150.2.23.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-3835",
          "url": "https://www.suse.com/security/cve/CVE-2019-3835"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1129180 for CVE-2019-3835",
          "url": "https://bugzilla.suse.com/1129180"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.0:ghostscript-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-devel-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-devel-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-mini-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-mini-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-mini-devel-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-mini-devel-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-x11-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-x11-9.27-lp150.2.23.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "openSUSE Leap 15.0:ghostscript-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-devel-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-devel-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-mini-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-mini-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-mini-devel-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-mini-devel-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-x11-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-x11-9.27-lp150.2.23.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2019-09-30T14:22:56Z",
          "details": "important"
        }
      ],
      "title": "CVE-2019-3835"
    },
    {
      "cve": "CVE-2019-3839",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-3839"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "It was found that in ghostscript some privileged operators remained accessible from various places after the CVE-2019-6116 fix. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER. Ghostscript versions before 9.27 are vulnerable.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.0:ghostscript-9.27-lp150.2.23.1.i586",
          "openSUSE Leap 15.0:ghostscript-9.27-lp150.2.23.1.x86_64",
          "openSUSE Leap 15.0:ghostscript-devel-9.27-lp150.2.23.1.i586",
          "openSUSE Leap 15.0:ghostscript-devel-9.27-lp150.2.23.1.x86_64",
          "openSUSE Leap 15.0:ghostscript-mini-9.27-lp150.2.23.1.i586",
          "openSUSE Leap 15.0:ghostscript-mini-9.27-lp150.2.23.1.x86_64",
          "openSUSE Leap 15.0:ghostscript-mini-devel-9.27-lp150.2.23.1.i586",
          "openSUSE Leap 15.0:ghostscript-mini-devel-9.27-lp150.2.23.1.x86_64",
          "openSUSE Leap 15.0:ghostscript-x11-9.27-lp150.2.23.1.i586",
          "openSUSE Leap 15.0:ghostscript-x11-9.27-lp150.2.23.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-3839",
          "url": "https://www.suse.com/security/cve/CVE-2019-3839"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1134156 for CVE-2019-3839",
          "url": "https://bugzilla.suse.com/1134156"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.0:ghostscript-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-devel-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-devel-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-mini-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-mini-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-mini-devel-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-mini-devel-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-x11-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-x11-9.27-lp150.2.23.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          },
          "products": [
            "openSUSE Leap 15.0:ghostscript-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-devel-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-devel-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-mini-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-mini-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-mini-devel-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-mini-devel-9.27-lp150.2.23.1.x86_64",
            "openSUSE Leap 15.0:ghostscript-x11-9.27-lp150.2.23.1.i586",
            "openSUSE Leap 15.0:ghostscript-x11-9.27-lp150.2.23.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2019-09-30T14:22:56Z",
          "details": "important"
        }
      ],
      "title": "CVE-2019-3839"
    }
  ]
}

CVE-2019-14817 (GCVE-0-2019-14817)

Vulnerability from cvelistv5

Published

2019-09-03 15:50

Modified

2024-08-05 00:26

Severity ?

7.3 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE

CWE-648

Summary

A flaw was found in, ghostscript versions prior to 9.50, in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.

References

URL

Tags

	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14817	x_refsource_CONFIRM
	http://git.ghostscript.com/?p=ghostpdl.git%3Ba=commitdiff%3Bh=cd1b1cacadac2479e291efe611979bdc1b3bdb19	x_refsource_CONFIRM
	https://www.debian.org/security/2019/dsa-4518	vendor-advisory, x_refsource_DEBIAN
	https://lists.debian.org/debian-lts-announce/2019/09/msg00007.html	mailing-list, x_refsource_MLIST
	https://seclists.org/bugtraq/2019/Sep/15	mailing-list, x_refsource_BUGTRAQ
	https://access.redhat.com/errata/RHSA-2019:2594	vendor-advisory, x_refsource_REDHAT
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBUC4DBBJTRFNCR3IODBV4IXB2C2HI3V/	vendor-advisory, x_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZP34D27RKYV2POJ3NJLSVCHUA5V5C45A/	vendor-advisory, x_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6AATIHU32MYKUOXQDJQU4X4DDVL7NAY3/	vendor-advisory, x_refsource_FEDORA
	http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00090.html	vendor-advisory, x_refsource_SUSE
	http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00088.html	vendor-advisory, x_refsource_SUSE
	https://access.redhat.com/errata/RHBA-2019:2824	vendor-advisory, x_refsource_REDHAT
	https://security.gentoo.org/glsa/202004-03	vendor-advisory, x_refsource_GENTOO

Impacted products

	Vendor	Product	Version
	Artifex Software	ghostscript	Version: ghostscript versions prior to 9.28

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T00:26:39.156Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14817"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://git.ghostscript.com/?p=ghostpdl.git%3Ba=commitdiff%3Bh=cd1b1cacadac2479e291efe611979bdc1b3bdb19"
          },
          {
            "name": "DSA-4518",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2019/dsa-4518"
          },
          {
            "name": "[debian-lts-announce] 20190909 [SECURITY] [DLA 1915-1] ghostscript security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00007.html"
          },
          {
            "name": "20190910 [SECURITY] [DSA 4518-1] ghostscript security update",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/Sep/15"
          },
          {
            "name": "RHSA-2019:2594",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2594"
          },
          {
            "name": "FEDORA-2019-0a9d525d71",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBUC4DBBJTRFNCR3IODBV4IXB2C2HI3V/"
          },
          {
            "name": "FEDORA-2019-953fc0f16d",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZP34D27RKYV2POJ3NJLSVCHUA5V5C45A/"
          },
          {
            "name": "FEDORA-2019-ebd6c4f15a",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6AATIHU32MYKUOXQDJQU4X4DDVL7NAY3/"
          },
          {
            "name": "openSUSE-SU-2019:2222",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00090.html"
          },
          {
            "name": "openSUSE-SU-2019:2223",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00088.html"
          },
          {
            "name": "RHBA-2019:2824",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHBA-2019:2824"
          },
          {
            "name": "GLSA-202004-03",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202004-03"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ghostscript",
          "vendor": "Artifex Software",
          "versions": [
            {
              "status": "affected",
              "version": "ghostscript versions prior to 9.28"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in, ghostscript versions prior to 9.50, in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-648",
              "description": "CWE-648",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-04-01T21:06:06",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14817"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://git.ghostscript.com/?p=ghostpdl.git%3Ba=commitdiff%3Bh=cd1b1cacadac2479e291efe611979bdc1b3bdb19"
        },
        {
          "name": "DSA-4518",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2019/dsa-4518"
        },
        {
          "name": "[debian-lts-announce] 20190909 [SECURITY] [DLA 1915-1] ghostscript security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00007.html"
        },
        {
          "name": "20190910 [SECURITY] [DSA 4518-1] ghostscript security update",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "https://seclists.org/bugtraq/2019/Sep/15"
        },
        {
          "name": "RHSA-2019:2594",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2594"
        },
        {
          "name": "FEDORA-2019-0a9d525d71",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBUC4DBBJTRFNCR3IODBV4IXB2C2HI3V/"
        },
        {
          "name": "FEDORA-2019-953fc0f16d",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZP34D27RKYV2POJ3NJLSVCHUA5V5C45A/"
        },
        {
          "name": "FEDORA-2019-ebd6c4f15a",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6AATIHU32MYKUOXQDJQU4X4DDVL7NAY3/"
        },
        {
          "name": "openSUSE-SU-2019:2222",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00090.html"
        },
        {
          "name": "openSUSE-SU-2019:2223",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00088.html"
        },
        {
          "name": "RHBA-2019:2824",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHBA-2019:2824"
        },
        {
          "name": "GLSA-202004-03",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202004-03"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2019-14817",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "ghostscript",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "ghostscript versions prior to 9.28"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Artifex Software"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A flaw was found in, ghostscript versions prior to 9.50, in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands."
            }
          ]
        },
        "impact": {
          "cvss": [
            [
              {
                "vectorString": "7.3/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.0"
              }
            ]
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-648"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14817",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14817"
            },
            {
              "name": "http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=cd1b1cacadac2479e291efe611979bdc1b3bdb19",
              "refsource": "CONFIRM",
              "url": "http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=cd1b1cacadac2479e291efe611979bdc1b3bdb19"
            },
            {
              "name": "DSA-4518",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2019/dsa-4518"
            },
            {
              "name": "[debian-lts-announce] 20190909 [SECURITY] [DLA 1915-1] ghostscript security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00007.html"
            },
            {
              "name": "20190910 [SECURITY] [DSA 4518-1] ghostscript security update",
              "refsource": "BUGTRAQ",
              "url": "https://seclists.org/bugtraq/2019/Sep/15"
            },
            {
              "name": "RHSA-2019:2594",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2594"
            },
            {
              "name": "FEDORA-2019-0a9d525d71",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LBUC4DBBJTRFNCR3IODBV4IXB2C2HI3V/"
            },
            {
              "name": "FEDORA-2019-953fc0f16d",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZP34D27RKYV2POJ3NJLSVCHUA5V5C45A/"
            },
            {
              "name": "FEDORA-2019-ebd6c4f15a",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6AATIHU32MYKUOXQDJQU4X4DDVL7NAY3/"
            },
            {
              "name": "openSUSE-SU-2019:2222",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00090.html"
            },
            {
              "name": "openSUSE-SU-2019:2223",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00088.html"
            },
            {
              "name": "RHBA-2019:2824",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHBA-2019:2824"
            },
            {
              "name": "GLSA-202004-03",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202004-03"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2019-14817",
    "datePublished": "2019-09-03T15:50:42",
    "dateReserved": "2019-08-10T00:00:00",
    "dateUpdated": "2024-08-05T00:26:39.156Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-3835 (GCVE-0-2019-3835)

Vulnerability from cvelistv5

Published

2019-03-25 18:30

Modified

2024-08-04 19:19

Severity ?

7.3 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE

CWE-648

Summary

It was found that the superexec operator was available in the internal dictionary in ghostscript before 9.27. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER.

References

URL

Tags

	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3835	x_refsource_CONFIRM
	https://bugs.ghostscript.com/show_bug.cgi?id=700585	x_refsource_MISC
	https://access.redhat.com/errata/RHSA-2019:0652	vendor-advisory, x_refsource_REDHAT
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVERLGEU3OV6RNZ2SIBXREWD3BF5H23N/	vendor-advisory, x_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ANBSCZABXQUEQWIKNWJ35IYX24M227EI/	vendor-advisory, x_refsource_FEDORA
	https://seclists.org/bugtraq/2019/Apr/4	mailing-list, x_refsource_BUGTRAQ
	http://packetstormsecurity.com/files/152367/Slackware-Security-Advisory-ghostscript-Updates.html	x_refsource_MISC
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A43SRQAEHQCKSEMIBINHUNIGHTDCZD7F/	vendor-advisory, x_refsource_FEDORA
	https://www.debian.org/security/2019/dsa-4432	vendor-advisory, x_refsource_DEBIAN
	https://seclists.org/bugtraq/2019/Apr/28	mailing-list, x_refsource_BUGTRAQ
	http://www.securityfocus.com/bid/107855	vdb-entry, x_refsource_BID
	https://lists.debian.org/debian-lts-announce/2019/04/msg00021.html	mailing-list, x_refsource_MLIST
	https://access.redhat.com/errata/RHSA-2019:0971	vendor-advisory, x_refsource_REDHAT
	http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00090.html	vendor-advisory, x_refsource_SUSE
	http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00088.html	vendor-advisory, x_refsource_SUSE
	https://security.gentoo.org/glsa/202004-03	vendor-advisory, x_refsource_GENTOO

Impacted products

	Vendor	Product	Version
	The ghostscript Project	ghostscript	Version: 9.27

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T19:19:18.577Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3835"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugs.ghostscript.com/show_bug.cgi?id=700585"
          },
          {
            "name": "RHSA-2019:0652",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:0652"
          },
          {
            "name": "FEDORA-2019-d5d9cfd359",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVERLGEU3OV6RNZ2SIBXREWD3BF5H23N/"
          },
          {
            "name": "FEDORA-2019-1a2c059afd",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ANBSCZABXQUEQWIKNWJ35IYX24M227EI/"
          },
          {
            "name": "20190402 [slackware-security] ghostscript (SSA:2019-092-01)",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/Apr/4"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/152367/Slackware-Security-Advisory-ghostscript-Updates.html"
          },
          {
            "name": "FEDORA-2019-9f28451404",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A43SRQAEHQCKSEMIBINHUNIGHTDCZD7F/"
          },
          {
            "name": "DSA-4432",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2019/dsa-4432"
          },
          {
            "name": "20190417 [SECURITY] [DSA 4432-1] ghostscript security update",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/Apr/28"
          },
          {
            "name": "107855",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/107855"
          },
          {
            "name": "[debian-lts-announce] 20190423 [SECURITY] [DLA 1761-1] ghostscript security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2019/04/msg00021.html"
          },
          {
            "name": "RHSA-2019:0971",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:0971"
          },
          {
            "name": "openSUSE-SU-2019:2222",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00090.html"
          },
          {
            "name": "openSUSE-SU-2019:2223",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00088.html"
          },
          {
            "name": "GLSA-202004-03",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202004-03"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ghostscript",
          "vendor": "The ghostscript Project",
          "versions": [
            {
              "status": "affected",
              "version": "9.27"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "It was found that the superexec operator was available in the internal dictionary in ghostscript before 9.27. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-648",
              "description": "CWE-648",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-04-01T21:06:06",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3835"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugs.ghostscript.com/show_bug.cgi?id=700585"
        },
        {
          "name": "RHSA-2019:0652",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:0652"
        },
        {
          "name": "FEDORA-2019-d5d9cfd359",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SVERLGEU3OV6RNZ2SIBXREWD3BF5H23N/"
        },
        {
          "name": "FEDORA-2019-1a2c059afd",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ANBSCZABXQUEQWIKNWJ35IYX24M227EI/"
        },
        {
          "name": "20190402 [slackware-security] ghostscript (SSA:2019-092-01)",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "https://seclists.org/bugtraq/2019/Apr/4"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/152367/Slackware-Security-Advisory-ghostscript-Updates.html"
        },
        {
          "name": "FEDORA-2019-9f28451404",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A43SRQAEHQCKSEMIBINHUNIGHTDCZD7F/"
        },
        {
          "name": "DSA-4432",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2019/dsa-4432"
        },
        {
          "name": "20190417 [SECURITY] [DSA 4432-1] ghostscript security update",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "https://seclists.org/bugtraq/2019/Apr/28"
        },
        {
          "name": "107855",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/107855"
        },
        {
          "name": "[debian-lts-announce] 20190423 [SECURITY] [DLA 1761-1] ghostscript security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2019/04/msg00021.html"
        },
        {
          "name": "RHSA-2019:0971",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:0971"
        },
        {
          "name": "openSUSE-SU-2019:2222",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00090.html"
        },
        {
          "name": "openSUSE-SU-2019:2223",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00088.html"
        },
        {
          "name": "GLSA-202004-03",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202004-03"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2019-3835",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "ghostscript",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "9.27"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "The ghostscript Project"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "It was found that the superexec operator was available in the internal dictionary in ghostscript before 9.27. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER."
            }
          ]
        },
        "impact": {
          "cvss": [
            [
              {
                "vectorString": "7.3/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.0"
              }
            ]
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-648"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3835",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3835"
            },
            {
              "name": "https://bugs.ghostscript.com/show_bug.cgi?id=700585",
              "refsource": "MISC",
              "url": "https://bugs.ghostscript.com/show_bug.cgi?id=700585"
            },
            {
              "name": "RHSA-2019:0652",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:0652"
            },
            {
              "name": "FEDORA-2019-d5d9cfd359",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SVERLGEU3OV6RNZ2SIBXREWD3BF5H23N/"
            },
            {
              "name": "FEDORA-2019-1a2c059afd",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ANBSCZABXQUEQWIKNWJ35IYX24M227EI/"
            },
            {
              "name": "20190402 [slackware-security] ghostscript (SSA:2019-092-01)",
              "refsource": "BUGTRAQ",
              "url": "https://seclists.org/bugtraq/2019/Apr/4"
            },
            {
              "name": "http://packetstormsecurity.com/files/152367/Slackware-Security-Advisory-ghostscript-Updates.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/152367/Slackware-Security-Advisory-ghostscript-Updates.html"
            },
            {
              "name": "FEDORA-2019-9f28451404",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A43SRQAEHQCKSEMIBINHUNIGHTDCZD7F/"
            },
            {
              "name": "DSA-4432",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2019/dsa-4432"
            },
            {
              "name": "20190417 [SECURITY] [DSA 4432-1] ghostscript security update",
              "refsource": "BUGTRAQ",
              "url": "https://seclists.org/bugtraq/2019/Apr/28"
            },
            {
              "name": "107855",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/107855"
            },
            {
              "name": "[debian-lts-announce] 20190423 [SECURITY] [DLA 1761-1] ghostscript security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2019/04/msg00021.html"
            },
            {
              "name": "RHSA-2019:0971",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:0971"
            },
            {
              "name": "openSUSE-SU-2019:2222",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00090.html"
            },
            {
              "name": "openSUSE-SU-2019:2223",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00088.html"
            },
            {
              "name": "GLSA-202004-03",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202004-03"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2019-3835",
    "datePublished": "2019-03-25T18:30:31",
    "dateReserved": "2019-01-03T00:00:00",
    "dateUpdated": "2024-08-04T19:19:18.577Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-14812 (GCVE-0-2019-14812)

Vulnerability from cvelistv5

Published

2019-11-27 13:50

Modified

2024-08-05 00:26

Severity ?

7.3 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE

CWE-648

Summary

A flaw was found in all ghostscript versions 9.x before 9.50, in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.

References

URL

Tags

	http://git.ghostscript.com/?p=ghostpdl.git%3Ba=commitdiff%3Bh=885444fcbe10dc42787ecb76686c8ee4dd33bf33	x_refsource_CONFIRM
	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14812	x_refsource_CONFIRM
	https://access.redhat.com/security/cve/cve-2019-14812	x_refsource_CONFIRM
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBUC4DBBJTRFNCR3IODBV4IXB2C2HI3V/	x_refsource_CONFIRM
	https://bugs.ghostscript.com/show_bug.cgi?id=701444	x_refsource_CONFIRM
	https://security.gentoo.org/glsa/202004-03	vendor-advisory, x_refsource_GENTOO

Impacted products

	Vendor	Product	Version
	Red Hat	ghostscript	Version: all ghostscript versions 9.x before 9.50

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T00:26:39.040Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://git.ghostscript.com/?p=ghostpdl.git%3Ba=commitdiff%3Bh=885444fcbe10dc42787ecb76686c8ee4dd33bf33"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14812"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/cve-2019-14812"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBUC4DBBJTRFNCR3IODBV4IXB2C2HI3V/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugs.ghostscript.com/show_bug.cgi?id=701444"
          },
          {
            "name": "GLSA-202004-03",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202004-03"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ghostscript",
          "vendor": "Red Hat",
          "versions": [
            {
              "status": "affected",
              "version": "all ghostscript versions 9.x before 9.50"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in all ghostscript versions 9.x before 9.50, in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-648",
              "description": "CWE-648",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-04-01T21:06:09",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://git.ghostscript.com/?p=ghostpdl.git%3Ba=commitdiff%3Bh=885444fcbe10dc42787ecb76686c8ee4dd33bf33"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14812"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://access.redhat.com/security/cve/cve-2019-14812"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBUC4DBBJTRFNCR3IODBV4IXB2C2HI3V/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugs.ghostscript.com/show_bug.cgi?id=701444"
        },
        {
          "name": "GLSA-202004-03",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202004-03"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2019-14812",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "ghostscript",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "all ghostscript versions 9.x before 9.50"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Red Hat"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A flaw was found in all ghostscript versions 9.x before 9.50, in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands."
            }
          ]
        },
        "impact": {
          "cvss": [
            [
              {
                "vectorString": "7.3/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.0"
              }
            ]
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-648"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=885444fcbe10dc42787ecb76686c8ee4dd33bf33",
              "refsource": "CONFIRM",
              "url": "http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=885444fcbe10dc42787ecb76686c8ee4dd33bf33"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14812",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14812"
            },
            {
              "name": "https://access.redhat.com/security/cve/cve-2019-14812",
              "refsource": "CONFIRM",
              "url": "https://access.redhat.com/security/cve/cve-2019-14812"
            },
            {
              "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LBUC4DBBJTRFNCR3IODBV4IXB2C2HI3V/",
              "refsource": "CONFIRM",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LBUC4DBBJTRFNCR3IODBV4IXB2C2HI3V/"
            },
            {
              "name": "https://bugs.ghostscript.com/show_bug.cgi?id=701444",
              "refsource": "CONFIRM",
              "url": "https://bugs.ghostscript.com/show_bug.cgi?id=701444"
            },
            {
              "name": "GLSA-202004-03",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202004-03"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2019-14812",
    "datePublished": "2019-11-27T13:50:15",
    "dateReserved": "2019-08-10T00:00:00",
    "dateUpdated": "2024-08-05T00:26:39.040Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-3839 (GCVE-0-2019-3839)

Vulnerability from cvelistv5

Published

2019-05-16 18:31

Modified

2024-08-04 19:19

Severity ?

7.3 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE

CWE-648

Summary

It was found that in ghostscript some privileged operators remained accessible from various places after the CVE-2019-6116 fix. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER. Ghostscript versions before 9.27 are vulnerable.

References

URL

Tags

	https://access.redhat.com/errata/RHSA-2019:0971	vendor-advisory, x_refsource_REDHAT
	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3839	x_refsource_CONFIRM
	https://access.redhat.com/errata/RHSA-2019:1017	vendor-advisory, x_refsource_REDHAT
	https://usn.ubuntu.com/3970-1/	vendor-advisory, x_refsource_UBUNTU
	https://www.debian.org/security/2019/dsa-4442	vendor-advisory, x_refsource_DEBIAN
	https://seclists.org/bugtraq/2019/May/23	mailing-list, x_refsource_BUGTRAQ
	http://git.ghostscript.com/?p=ghostpdl.git%3Ba=commitdiff%3Bh=4ec9ca74bed49f2a82acb4bf430eae0d8b3b75c9	x_refsource_CONFIRM
	https://lists.debian.org/debian-lts-announce/2019/05/msg00023.html	mailing-list, x_refsource_MLIST
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZP34D27RKYV2POJ3NJLSVCHUA5V5C45A/	vendor-advisory, x_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6AATIHU32MYKUOXQDJQU4X4DDVL7NAY3/	vendor-advisory, x_refsource_FEDORA
	http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00090.html	vendor-advisory, x_refsource_SUSE
	http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00088.html	vendor-advisory, x_refsource_SUSE

Impacted products

	Vendor	Product	Version
	The ghostscript Project	ghostscript	Version: 9.28

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T19:19:18.593Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2019:0971",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:0971"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3839"
          },
          {
            "name": "RHSA-2019:1017",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1017"
          },
          {
            "name": "USN-3970-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/3970-1/"
          },
          {
            "name": "DSA-4442",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2019/dsa-4442"
          },
          {
            "name": "20190512 [SECURITY] [DSA 4442-1] ghostscript security update",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/May/23"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://git.ghostscript.com/?p=ghostpdl.git%3Ba=commitdiff%3Bh=4ec9ca74bed49f2a82acb4bf430eae0d8b3b75c9"
          },
          {
            "name": "[debian-lts-announce] 20190519 [SECURITY] [DLA 1792-1] ghostscript security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00023.html"
          },
          {
            "name": "FEDORA-2019-953fc0f16d",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZP34D27RKYV2POJ3NJLSVCHUA5V5C45A/"
          },
          {
            "name": "FEDORA-2019-ebd6c4f15a",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6AATIHU32MYKUOXQDJQU4X4DDVL7NAY3/"
          },
          {
            "name": "openSUSE-SU-2019:2222",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00090.html"
          },
          {
            "name": "openSUSE-SU-2019:2223",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00088.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ghostscript",
          "vendor": "The ghostscript Project",
          "versions": [
            {
              "status": "affected",
              "version": "9.28"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "It was found that in ghostscript some privileged operators remained accessible from various places after the CVE-2019-6116 fix. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER. Ghostscript versions before 9.27 are vulnerable."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-648",
              "description": "CWE-648",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-09-30T20:06:19",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2019:0971",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:0971"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3839"
        },
        {
          "name": "RHSA-2019:1017",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1017"
        },
        {
          "name": "USN-3970-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/3970-1/"
        },
        {
          "name": "DSA-4442",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2019/dsa-4442"
        },
        {
          "name": "20190512 [SECURITY] [DSA 4442-1] ghostscript security update",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "https://seclists.org/bugtraq/2019/May/23"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://git.ghostscript.com/?p=ghostpdl.git%3Ba=commitdiff%3Bh=4ec9ca74bed49f2a82acb4bf430eae0d8b3b75c9"
        },
        {
          "name": "[debian-lts-announce] 20190519 [SECURITY] [DLA 1792-1] ghostscript security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00023.html"
        },
        {
          "name": "FEDORA-2019-953fc0f16d",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZP34D27RKYV2POJ3NJLSVCHUA5V5C45A/"
        },
        {
          "name": "FEDORA-2019-ebd6c4f15a",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6AATIHU32MYKUOXQDJQU4X4DDVL7NAY3/"
        },
        {
          "name": "openSUSE-SU-2019:2222",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00090.html"
        },
        {
          "name": "openSUSE-SU-2019:2223",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00088.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2019-3839",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "ghostscript",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "9.28"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "The ghostscript Project"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "It was found that in ghostscript some privileged operators remained accessible from various places after the CVE-2019-6116 fix. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER. Ghostscript versions before 9.27 are vulnerable."
            }
          ]
        },
        "impact": {
          "cvss": [
            [
              {
                "vectorString": "7.3/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.0"
              }
            ]
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-648"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2019:0971",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:0971"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3839",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3839"
            },
            {
              "name": "RHSA-2019:1017",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1017"
            },
            {
              "name": "USN-3970-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/3970-1/"
            },
            {
              "name": "DSA-4442",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2019/dsa-4442"
            },
            {
              "name": "20190512 [SECURITY] [DSA 4442-1] ghostscript security update",
              "refsource": "BUGTRAQ",
              "url": "https://seclists.org/bugtraq/2019/May/23"
            },
            {
              "name": "http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=4ec9ca74bed49f2a82acb4bf430eae0d8b3b75c9",
              "refsource": "CONFIRM",
              "url": "http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=4ec9ca74bed49f2a82acb4bf430eae0d8b3b75c9"
            },
            {
              "name": "[debian-lts-announce] 20190519 [SECURITY] [DLA 1792-1] ghostscript security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00023.html"
            },
            {
              "name": "FEDORA-2019-953fc0f16d",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZP34D27RKYV2POJ3NJLSVCHUA5V5C45A/"
            },
            {
              "name": "FEDORA-2019-ebd6c4f15a",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6AATIHU32MYKUOXQDJQU4X4DDVL7NAY3/"
            },
            {
              "name": "openSUSE-SU-2019:2222",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00090.html"
            },
            {
              "name": "openSUSE-SU-2019:2223",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00088.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2019-3839",
    "datePublished": "2019-05-16T18:31:08",
    "dateReserved": "2019-01-03T00:00:00",
    "dateUpdated": "2024-08-04T19:19:18.593Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-14811 (GCVE-0-2019-14811)

Vulnerability from cvelistv5

Published

2019-09-03 15:17

Modified

2024-08-05 00:26

Severity ?

7.3 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE

CWE-648

Summary

A flaw was found in, ghostscript versions prior to 9.50, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.

References

URL

Tags

	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14811	x_refsource_CONFIRM
	https://www.debian.org/security/2019/dsa-4518	vendor-advisory, x_refsource_DEBIAN
	https://lists.debian.org/debian-lts-announce/2019/09/msg00007.html	mailing-list, x_refsource_MLIST
	https://seclists.org/bugtraq/2019/Sep/15	mailing-list, x_refsource_BUGTRAQ
	https://access.redhat.com/errata/RHSA-2019:2594	vendor-advisory, x_refsource_REDHAT
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBUC4DBBJTRFNCR3IODBV4IXB2C2HI3V/	vendor-advisory, x_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZP34D27RKYV2POJ3NJLSVCHUA5V5C45A/	vendor-advisory, x_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6AATIHU32MYKUOXQDJQU4X4DDVL7NAY3/	vendor-advisory, x_refsource_FEDORA
	http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00090.html	vendor-advisory, x_refsource_SUSE
	http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00088.html	vendor-advisory, x_refsource_SUSE
	https://access.redhat.com/errata/RHBA-2019:2824	vendor-advisory, x_refsource_REDHAT
	https://security.gentoo.org/glsa/202004-03	vendor-advisory, x_refsource_GENTOO

Impacted products

	Vendor	Product	Version
	Artifex Software	ghostscript	Version: ghostscript versions prior to 9.28

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T00:26:38.930Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14811"
          },
          {
            "name": "DSA-4518",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2019/dsa-4518"
          },
          {
            "name": "[debian-lts-announce] 20190909 [SECURITY] [DLA 1915-1] ghostscript security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00007.html"
          },
          {
            "name": "20190910 [SECURITY] [DSA 4518-1] ghostscript security update",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/Sep/15"
          },
          {
            "name": "RHSA-2019:2594",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2594"
          },
          {
            "name": "FEDORA-2019-0a9d525d71",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBUC4DBBJTRFNCR3IODBV4IXB2C2HI3V/"
          },
          {
            "name": "FEDORA-2019-953fc0f16d",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZP34D27RKYV2POJ3NJLSVCHUA5V5C45A/"
          },
          {
            "name": "FEDORA-2019-ebd6c4f15a",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6AATIHU32MYKUOXQDJQU4X4DDVL7NAY3/"
          },
          {
            "name": "openSUSE-SU-2019:2222",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00090.html"
          },
          {
            "name": "openSUSE-SU-2019:2223",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00088.html"
          },
          {
            "name": "RHBA-2019:2824",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHBA-2019:2824"
          },
          {
            "name": "GLSA-202004-03",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202004-03"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ghostscript",
          "vendor": "Artifex Software",
          "versions": [
            {
              "status": "affected",
              "version": "ghostscript versions prior to 9.28"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in, ghostscript versions prior to 9.50, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-648",
              "description": "CWE-648",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-04-01T21:06:10",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14811"
        },
        {
          "name": "DSA-4518",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2019/dsa-4518"
        },
        {
          "name": "[debian-lts-announce] 20190909 [SECURITY] [DLA 1915-1] ghostscript security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00007.html"
        },
        {
          "name": "20190910 [SECURITY] [DSA 4518-1] ghostscript security update",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "https://seclists.org/bugtraq/2019/Sep/15"
        },
        {
          "name": "RHSA-2019:2594",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2594"
        },
        {
          "name": "FEDORA-2019-0a9d525d71",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBUC4DBBJTRFNCR3IODBV4IXB2C2HI3V/"
        },
        {
          "name": "FEDORA-2019-953fc0f16d",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZP34D27RKYV2POJ3NJLSVCHUA5V5C45A/"
        },
        {
          "name": "FEDORA-2019-ebd6c4f15a",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6AATIHU32MYKUOXQDJQU4X4DDVL7NAY3/"
        },
        {
          "name": "openSUSE-SU-2019:2222",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00090.html"
        },
        {
          "name": "openSUSE-SU-2019:2223",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00088.html"
        },
        {
          "name": "RHBA-2019:2824",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHBA-2019:2824"
        },
        {
          "name": "GLSA-202004-03",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202004-03"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2019-14811",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "ghostscript",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "ghostscript versions prior to 9.28"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Artifex Software"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A flaw was found in, ghostscript versions prior to 9.50, in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands."
            }
          ]
        },
        "impact": {
          "cvss": [
            [
              {
                "vectorString": "7.3/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.0"
              }
            ]
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-648"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14811",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14811"
            },
            {
              "name": "DSA-4518",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2019/dsa-4518"
            },
            {
              "name": "[debian-lts-announce] 20190909 [SECURITY] [DLA 1915-1] ghostscript security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00007.html"
            },
            {
              "name": "20190910 [SECURITY] [DSA 4518-1] ghostscript security update",
              "refsource": "BUGTRAQ",
              "url": "https://seclists.org/bugtraq/2019/Sep/15"
            },
            {
              "name": "RHSA-2019:2594",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2594"
            },
            {
              "name": "FEDORA-2019-0a9d525d71",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LBUC4DBBJTRFNCR3IODBV4IXB2C2HI3V/"
            },
            {
              "name": "FEDORA-2019-953fc0f16d",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZP34D27RKYV2POJ3NJLSVCHUA5V5C45A/"
            },
            {
              "name": "FEDORA-2019-ebd6c4f15a",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6AATIHU32MYKUOXQDJQU4X4DDVL7NAY3/"
            },
            {
              "name": "openSUSE-SU-2019:2222",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00090.html"
            },
            {
              "name": "openSUSE-SU-2019:2223",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00088.html"
            },
            {
              "name": "RHBA-2019:2824",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHBA-2019:2824"
            },
            {
              "name": "GLSA-202004-03",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202004-03"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2019-14811",
    "datePublished": "2019-09-03T15:17:12",
    "dateReserved": "2019-08-10T00:00:00",
    "dateUpdated": "2024-08-05T00:26:38.930Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-14813 (GCVE-0-2019-14813)

Vulnerability from cvelistv5

Published

2019-09-06 13:27

Modified

2024-08-05 00:26

Severity ?

7.3 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE

CWE-648

Summary

A flaw was found in ghostscript, versions 9.x before 9.50, in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.

References

URL

Tags

	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14813	x_refsource_CONFIRM
	http://git.ghostscript.com/?p=ghostpdl.git%3Ba=commitdiff%3Bh=885444fcbe10dc42787ecb76686c8ee4dd33bf33	x_refsource_CONFIRM
	https://www.debian.org/security/2019/dsa-4518	vendor-advisory, x_refsource_DEBIAN
	https://lists.debian.org/debian-lts-announce/2019/09/msg00007.html	mailing-list, x_refsource_MLIST
	https://seclists.org/bugtraq/2019/Sep/15	mailing-list, x_refsource_BUGTRAQ
	https://access.redhat.com/errata/RHSA-2019:2594	vendor-advisory, x_refsource_REDHAT
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBUC4DBBJTRFNCR3IODBV4IXB2C2HI3V/	vendor-advisory, x_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZP34D27RKYV2POJ3NJLSVCHUA5V5C45A/	vendor-advisory, x_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6AATIHU32MYKUOXQDJQU4X4DDVL7NAY3/	vendor-advisory, x_refsource_FEDORA
	http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00090.html	vendor-advisory, x_refsource_SUSE
	http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00088.html	vendor-advisory, x_refsource_SUSE
	https://access.redhat.com/errata/RHBA-2019:2824	vendor-advisory, x_refsource_REDHAT
	https://security.gentoo.org/glsa/202004-03	vendor-advisory, x_refsource_GENTOO

Impacted products

	Vendor	Product	Version
	Artifex Software	ghostscript	Version: ghostscript versions 9.x before 9.28

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T00:26:39.065Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14813"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://git.ghostscript.com/?p=ghostpdl.git%3Ba=commitdiff%3Bh=885444fcbe10dc42787ecb76686c8ee4dd33bf33"
          },
          {
            "name": "DSA-4518",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2019/dsa-4518"
          },
          {
            "name": "[debian-lts-announce] 20190909 [SECURITY] [DLA 1915-1] ghostscript security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00007.html"
          },
          {
            "name": "20190910 [SECURITY] [DSA 4518-1] ghostscript security update",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/Sep/15"
          },
          {
            "name": "RHSA-2019:2594",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:2594"
          },
          {
            "name": "FEDORA-2019-0a9d525d71",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBUC4DBBJTRFNCR3IODBV4IXB2C2HI3V/"
          },
          {
            "name": "FEDORA-2019-953fc0f16d",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZP34D27RKYV2POJ3NJLSVCHUA5V5C45A/"
          },
          {
            "name": "FEDORA-2019-ebd6c4f15a",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6AATIHU32MYKUOXQDJQU4X4DDVL7NAY3/"
          },
          {
            "name": "openSUSE-SU-2019:2222",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00090.html"
          },
          {
            "name": "openSUSE-SU-2019:2223",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00088.html"
          },
          {
            "name": "RHBA-2019:2824",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHBA-2019:2824"
          },
          {
            "name": "GLSA-202004-03",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202004-03"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ghostscript",
          "vendor": "Artifex Software",
          "versions": [
            {
              "status": "affected",
              "version": "ghostscript versions 9.x before 9.28"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in ghostscript, versions 9.x before 9.50, in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-648",
              "description": "CWE-648",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-04-01T21:06:08",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14813"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://git.ghostscript.com/?p=ghostpdl.git%3Ba=commitdiff%3Bh=885444fcbe10dc42787ecb76686c8ee4dd33bf33"
        },
        {
          "name": "DSA-4518",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2019/dsa-4518"
        },
        {
          "name": "[debian-lts-announce] 20190909 [SECURITY] [DLA 1915-1] ghostscript security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00007.html"
        },
        {
          "name": "20190910 [SECURITY] [DSA 4518-1] ghostscript security update",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "https://seclists.org/bugtraq/2019/Sep/15"
        },
        {
          "name": "RHSA-2019:2594",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:2594"
        },
        {
          "name": "FEDORA-2019-0a9d525d71",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBUC4DBBJTRFNCR3IODBV4IXB2C2HI3V/"
        },
        {
          "name": "FEDORA-2019-953fc0f16d",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZP34D27RKYV2POJ3NJLSVCHUA5V5C45A/"
        },
        {
          "name": "FEDORA-2019-ebd6c4f15a",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6AATIHU32MYKUOXQDJQU4X4DDVL7NAY3/"
        },
        {
          "name": "openSUSE-SU-2019:2222",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00090.html"
        },
        {
          "name": "openSUSE-SU-2019:2223",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00088.html"
        },
        {
          "name": "RHBA-2019:2824",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHBA-2019:2824"
        },
        {
          "name": "GLSA-202004-03",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202004-03"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2019-14813",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "ghostscript",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "ghostscript versions 9.x before 9.28"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Artifex Software"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A flaw was found in ghostscript, versions 9.x before 9.50, in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands."
            }
          ]
        },
        "impact": {
          "cvss": [
            [
              {
                "vectorString": "7.3/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.0"
              }
            ]
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-648"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14813",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14813"
            },
            {
              "name": "http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=885444fcbe10dc42787ecb76686c8ee4dd33bf33",
              "refsource": "CONFIRM",
              "url": "http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=885444fcbe10dc42787ecb76686c8ee4dd33bf33"
            },
            {
              "name": "DSA-4518",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2019/dsa-4518"
            },
            {
              "name": "[debian-lts-announce] 20190909 [SECURITY] [DLA 1915-1] ghostscript security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00007.html"
            },
            {
              "name": "20190910 [SECURITY] [DSA 4518-1] ghostscript security update",
              "refsource": "BUGTRAQ",
              "url": "https://seclists.org/bugtraq/2019/Sep/15"
            },
            {
              "name": "RHSA-2019:2594",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:2594"
            },
            {
              "name": "FEDORA-2019-0a9d525d71",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LBUC4DBBJTRFNCR3IODBV4IXB2C2HI3V/"
            },
            {
              "name": "FEDORA-2019-953fc0f16d",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZP34D27RKYV2POJ3NJLSVCHUA5V5C45A/"
            },
            {
              "name": "FEDORA-2019-ebd6c4f15a",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6AATIHU32MYKUOXQDJQU4X4DDVL7NAY3/"
            },
            {
              "name": "openSUSE-SU-2019:2222",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00090.html"
            },
            {
              "name": "openSUSE-SU-2019:2223",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00088.html"
            },
            {
              "name": "RHBA-2019:2824",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHBA-2019:2824"
            },
            {
              "name": "GLSA-202004-03",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202004-03"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2019-14813",
    "datePublished": "2019-09-06T13:27:47",
    "dateReserved": "2019-08-10T00:00:00",
    "dateUpdated": "2024-08-05T00:26:39.065Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-12973 (GCVE-0-2019-12973)

Vulnerability from cvelistv5

Published

2019-06-26 17:07

Modified

2024-08-04 23:41

Severity ?

CWE

Summary

In OpenJPEG 2.3.1, there is excessive iteration in the opj_t1_encode_cblks function of openjp2/t1.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted bmp file. This issue is similar to CVE-2018-6616.

References

URL

Tags

	http://www.securityfocus.com/bid/108900	vdb-entry, x_refsource_BID
	http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00090.html	vendor-advisory, x_refsource_SUSE
	http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00088.html	vendor-advisory, x_refsource_SUSE
	https://lists.debian.org/debian-lts-announce/2020/07/msg00008.html	mailing-list, x_refsource_MLIST
	https://www.oracle.com/security-alerts/cpujul2020.html	x_refsource_MISC
	https://github.com/uclouvain/openjpeg/pull/1185/commits/cbe7384016083eac16078b359acd7a842253d503	x_refsource_MISC
	https://github.com/uclouvain/openjpeg/commit/8ee335227bbcaf1614124046aa25e53d67b11ec3	x_refsource_MISC
	https://security.gentoo.org/glsa/202101-29	vendor-advisory, x_refsource_GENTOO
	https://www.oracle.com//security-alerts/cpujul2021.html	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T23:41:09.694Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "108900",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/108900"
          },
          {
            "name": "openSUSE-SU-2019:2222",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00090.html"
          },
          {
            "name": "openSUSE-SU-2019:2223",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00088.html"
          },
          {
            "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2277-1] openjpeg2 security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00008.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/uclouvain/openjpeg/pull/1185/commits/cbe7384016083eac16078b359acd7a842253d503"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/uclouvain/openjpeg/commit/8ee335227bbcaf1614124046aa25e53d67b11ec3"
          },
          {
            "name": "GLSA-202101-29",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202101-29"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In OpenJPEG 2.3.1, there is excessive iteration in the opj_t1_encode_cblks function of openjp2/t1.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted bmp file. This issue is similar to CVE-2018-6616."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-07-20T22:53:32",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "108900",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/108900"
        },
        {
          "name": "openSUSE-SU-2019:2222",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00090.html"
        },
        {
          "name": "openSUSE-SU-2019:2223",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00088.html"
        },
        {
          "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2277-1] openjpeg2 security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00008.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/uclouvain/openjpeg/pull/1185/commits/cbe7384016083eac16078b359acd7a842253d503"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/uclouvain/openjpeg/commit/8ee335227bbcaf1614124046aa25e53d67b11ec3"
        },
        {
          "name": "GLSA-202101-29",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202101-29"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2019-12973",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In OpenJPEG 2.3.1, there is excessive iteration in the opj_t1_encode_cblks function of openjp2/t1.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted bmp file. This issue is similar to CVE-2018-6616."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "108900",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/108900"
            },
            {
              "name": "openSUSE-SU-2019:2222",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00090.html"
            },
            {
              "name": "openSUSE-SU-2019:2223",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00088.html"
            },
            {
              "name": "[debian-lts-announce] 20200710 [SECURITY] [DLA 2277-1] openjpeg2 security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00008.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujul2020.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
            },
            {
              "name": "https://github.com/uclouvain/openjpeg/pull/1185/commits/cbe7384016083eac16078b359acd7a842253d503",
              "refsource": "MISC",
              "url": "https://github.com/uclouvain/openjpeg/pull/1185/commits/cbe7384016083eac16078b359acd7a842253d503"
            },
            {
              "name": "https://github.com/uclouvain/openjpeg/commit/8ee335227bbcaf1614124046aa25e53d67b11ec3",
              "refsource": "MISC",
              "url": "https://github.com/uclouvain/openjpeg/commit/8ee335227bbcaf1614124046aa25e53d67b11ec3"
            },
            {
              "name": "GLSA-202101-29",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202101-29"
            },
            {
              "name": "https://www.oracle.com//security-alerts/cpujul2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com//security-alerts/cpujul2021.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2019-12973",
    "datePublished": "2019-06-26T17:07:51",
    "dateReserved": "2019-06-26T00:00:00",
    "dateUpdated": "2024-08-04T23:41:09.694Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

opensuse-su-2019:2222-1

Vulnerability from csaf_opensuse

CVE-2019-14817 (GCVE-0-2019-14817)

Vulnerability from cvelistv5

CVE-2019-3835 (GCVE-0-2019-3835)

Vulnerability from cvelistv5

CVE-2019-14812 (GCVE-0-2019-14812)

Vulnerability from cvelistv5

CVE-2019-3839 (GCVE-0-2019-3839)

Vulnerability from cvelistv5

CVE-2019-14811 (GCVE-0-2019-14811)

Vulnerability from cvelistv5

CVE-2019-14813 (GCVE-0-2019-14813)

Vulnerability from cvelistv5

CVE-2019-12973 (GCVE-0-2019-12973)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature