CVE-2019-14817
HIGHGhostscript < 9.50 - Privilege Escalation via Unsecured Privileged API Calls
Title source: llmDescription
A flaw was found in, ghostscript versions prior to 9.50, in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.
References (13)
Core 13
Core References
Exploit, Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14817
Patch x_refsource_confirm
http://git.ghostscript.com/?p=ghostpdl.git%3Ba=commitdiff%3Bh=cd1b1cacadac2479e291efe611979bdc1b3bdb19
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2019/dsa-4518
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/09/msg00007.html
Mailing List, Third Party Advisory mailing-list
x_refsource_bugtraq
https://seclists.org/bugtraq/2019/Sep/15
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:2594
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LBUC4DBBJTRFNCR3IODBV4IXB2C2HI3V/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZP34D27RKYV2POJ3NJLSVCHUA5V5C45A/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6AATIHU32MYKUOXQDJQU4X4DDVL7NAY3/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00090.html
Mailing List, Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00088.html
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHBA-2019:2824
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202004-03
Scores
CVSS v3
7.8
EPSS
0.0203
EPSS Percentile
78.4%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-648
CWE-863
Status
published
Products (11)
artifex/ghostscript
< 9.50
debian/debian_linux
8.0
debian/debian_linux
9.0
debian/debian_linux
10.0
fedoraproject/fedora
29
fedoraproject/fedora
30
fedoraproject/fedora
31
opensuse/leap
15.0
opensuse/leap
15.1
redhat/openshift_container_platform
3.11
... and 1 more
Published
Sep 03, 2019
Tracked Since
Feb 18, 2026