CVE-2024-33870

CVSS v3.1

6.3

Medium

Vector

AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Name of the Vulnerable Software and Affected Versions: Artifex Ghostscript versions prior to 10.03.1

Description: The issue is related to errors in handling relative path to directory in the Ghostscript software, which can allow a remote attacker to execute arbitrary code using a specially crafted PostScript file. This is achieved through path traversal, where a crafted PostScript document can access arbitrary files if the current directory is in the permitted paths. For example, a transformation of ../../foo to ./../../foo can grant access if ./ is permitted.

Recommendations: For Artifex Ghostscript versions prior to 10.03.1, update to version 10.03.1 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive directories and files to minimize the risk of exploitation. Avoid processing untrusted or malformed PostScript documents until the issue is resolved.

Fix

Path traversal

Relative Path Traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22CWE-23

Related Identifiers

ALSA-2024:6197

ALT-PU-2024-13477

ALT-PU-2024-14136

ALT-PU-2024-14302

BDU:2024-05063

CVE-2024-33870

DSA-5692-1

INFSA-2024_6197

MGASA-2024-0192

OESA-2024-2176

OESA-2024-2177

OESA-2024-2178

OPENSUSE-SU-2024:14090-1

OPENSUSE-SU-2024_2292-1

RHSA-2024:6197

RHSA-2024:6466

RHSA-2024_6197

SUSE-SU-2024:2276-1

SUSE-SU-2024:2292-1

USN-6835-1

Affected Products

Alt Linux

Almalinux

Artifex Ghostscript

Astra Linux

Linuxmint

Red Hat

Red Os

Rocky Linux

Suse

Ubuntu

CVE-2024-33870

Weakness Enumeration

Related Identifiers

Affected Products

References · 67