CVE-2019-3835

Impact:
Important
Public Date:
2019-03-21
CWE:
CWE-648
Bugzilla:
1677588: CVE-2019-3835 ghostscript: superexec operator is available (700585)
It was found that the superexec operator was available in the internal dictionary. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER.

Find out more about CVE-2019-3835 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

CVSS3 Base Score 7.3
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity Impact Low
Availability Impact Low

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux 7 (ghostscript) RHSA-2019:0633 2019-03-21
Red Hat Enterprise Linux 8 (ghostscript) RHSA-2019:0971 2019-05-07
Red Hat Enterprise Linux 8 (ghostscript) RHSA-2019:0971 2019-05-07

Affected Packages State

Platform Package State
Red Hat Enterprise Linux 6 ghostscript Will not fix
Red Hat Enterprise Linux 5 ghostscript Will not fix

Acknowledgements

This issue was discovered by Cedric Buissart (Red Hat).

Mitigation

Please refer to the "Mitigation" section of CVE-2018-16509 : https://access.redhat.com/security/cve/cve-2018-16509

External References

Last Modified