9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.005 Low
EPSS
Percentile
76.4%
A memory corruption issue was found in Artifex Ghostscript 9.50 and 9.52. Use of a non-standard PostScript operator can allow overriding of file access controls. The ‘rsearch’ calculation for the ‘post’ size resulted in a size that was too large, and could underflow to max uint32_t. This was fixed in commit 5d499272b95a6b890a1397e11d20937de000d31b.
Recent assessments:
zeroSteiner at January 05, 2021 8:03pm UTC reported:
From NVD:
> A memory corruption issue was found in Artifex Ghostscript 9.50 and 9.52. Use of a non-standard PostScript operator can allow overriding of file access controls. The ‘rsearch’ calculation for the ‘post’ size resulted in a size that was too large, and could underflow to max uint32_t.
GhostScript is a pretty popular engine for Postscript and PDF documents. A critical feature of this is the sandbox which makes it safe to view documents received from untrusted sources. Escaping from the sandbox would all a malicious user to leverage dangerous functions that are builtin that can allow arbitrary file reading and writing along with OS command execution in certain environments.
The sandbox escape can be performed by leveraging the underflow to access memory outside the permissible boundary. By reading key locations, a specially crafted malicious document could corrupt the flag that controls the sandbox.
A weaponized version of this exploit would likely need to tell if it’s on Windows or LInux, which may be able to be determined at runtime by performing a file read and handling failures using well known file paths as the target.
See: <https://insomniasec.com/blog/ghostscript-cve-2020-15900>
Assessed Attacker Value: 3
Assessed Attacker Value: 3Assessed Attacker Value: 4
git.ghostscript.com?p=ghostpdl.git;a=log
lists.opensuse.org/opensuse-security-announce/2020-08/msg00004.html
lists.opensuse.org/opensuse-security-announce/2020-08/msg00006.html
artifex.com/security-advisories/CVE-2020-15900
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15900
git.ghostscript.com?p=ghostpdl.git;a=commitdiff;h=5d499272b95a6b890a1397e11d20937de000d31b
github.com/ArtifexSoftware/ghostpdl/commit/5d499272b95a6b890a1397e11d20937de000d31b
github.com/ArtifexSoftware/ghostpdl/commits/master/psi/zstring.c
security.gentoo.org/glsa/202008-20
usn.ubuntu.com/4445-1
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.005 Low
EPSS
Percentile
76.4%