CVE-2024-33871

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions: Ghostscript versions prior to 10.03.1

Description: The issue exists due to insufficient input validation in the contrib/opvp/gdevopvp.c component of the Ghostscript interpreter. This can be exploited by a remote attacker using a specially crafted PostScript file, potentially allowing arbitrary code execution. The vulnerability is related to the Driver parameter for opvp devices, which can have an arbitrary name for a dynamic library, and this library is then loaded.

Recommendations: For Ghostscript versions prior to 10.03.1, update to version 10.03.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of custom Driver libraries for opvp devices to minimize the risk of exploitation.

Fix

Code Injection

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94CWE-20

Related Identifiers

ALSA-2024:3999

ALSA-2024:4000

ALT-PU-2024-13477

ALT-PU-2024-14136

ALT-PU-2024-14302

BDU:2024-05064

CESA-2024_4000

CVE-2024-33871

DSA-5692-1

INFSA-2024_3999

INFSA-2024_4000

MGASA-2024-0192

OESA-2024-2454

OESA-2024-2456

OESA-2024-2457

OESA-2024-2458

OPENSUSE-SU-2024:14090-1

OPENSUSE-SU-2024_2198-1

RHSA-2024:3999

RHSA-2024:4000

RHSA-2024:4014

RHSA-2024:4462

RHSA-2024:4527

RHSA-2024:4537

RHSA-2024:4541

RHSA-2024:4544

RHSA-2024:4549

RHSA-2024_3999

RHSA-2024_4000

RLSA-2024:3999

RLSA-2024:4000

ROSA-SA-2024-2494

SUSE-SU-2024:2198-1

SUSE-SU-2024:2199-1

SUSE-SU-2024_2198-1

SUSE-SU-2024_2199-1

USN-6835-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Ghostscript

Linuxmint

Red Hat

Red Os

Rocky Linux

Suse

Ubuntu

CVE-2024-33871

Weakness Enumeration

Related Identifiers

Affected Products

References · 80