CVE-2018-19476 — HIGH (7.8)

Q: What is CVE-2018-19476?

CVE-2018-19476 is a vulnerability with a CVSS score of 7.8 (HIGH). psi/zicc.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because of a setcolorspace type confusion.

Q: How severe is CVE-2018-19476?

CVE-2018-19476 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-19476?

Check the references section above for vendor advisories and patch information. Affected products include: Artifex Ghostscript, Debian Debian Linux, Canonical Ubuntu Linux, Redhat Openshift Container Platform, Redhat Enterprise Linux Desktop.

Vulnerability Description

psi/zicc.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because of a setcolorspace type confusion.

CVSS Score

7.8

HIGH

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Artifex	Ghostscript	< 9.26
Debian	Debian Linux	8.0
Canonical	Ubuntu Linux	14.04
Redhat	Openshift Container Platform	3.11
Redhat	Enterprise Linux Desktop	7.0
Redhat	Enterprise Linux Server	7.0
Redhat	Enterprise Linux Server Aus	7.6
Redhat	Enterprise Linux Server Eus	7.6
Redhat	Enterprise Linux Server Tus	7.6
Redhat	Enterprise Linux Workstation	7.0

Related Weaknesses (CWE)

CWE-704

References

http://git.ghostscript.com/?p=ghostpdl.git%3Ba=commit%3Bh=67d760ab775dae4efe803b
http://git.ghostscript.com/?p=ghostpdl.git%3Bh=434753adbe8be5534bfb9b7d91746023e
http://www.securityfocus.com/bid/106154Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHBA-2019:0327Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0229Third Party Advisory
https://bugs.ghostscript.com/show_bug.cgi?id=700169Issue TrackingPatchVendor Advisory
https://lists.debian.org/debian-lts-announce/2018/11/msg00036.htmlMailing ListThird Party Advisory
https://semmle.com/news/semmle-discovers-severe-vulnerability-ghostscript-postscExploitMitigationThird Party Advisory
https://usn.ubuntu.com/3831-1/Third Party Advisory
https://www.debian.org/security/2018/dsa-4346Third Party Advisory
https://www.ghostscript.com/doc/9.26/History9.htm#Version9.26Release NotesVendor Advisory
http://git.ghostscript.com/?p=ghostpdl.git%3Ba=commit%3Bh=67d760ab775dae4efe803b
http://git.ghostscript.com/?p=ghostpdl.git%3Bh=434753adbe8be5534bfb9b7d91746023e
http://www.securityfocus.com/bid/106154Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHBA-2019:0327Third Party Advisory

FAQ

What is CVE-2018-19476?

CVE-2018-19476 is a vulnerability with a CVSS score of 7.8 (HIGH). psi/zicc.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because of a setcolorspace type confusion.

How severe is CVE-2018-19476?

CVE-2018-19476 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-19476?

Check the references section above for vendor advisories and patch information. Affected products include: Artifex Ghostscript, Debian Debian Linux, Canonical Ubuntu Linux, Redhat Openshift Container Platform, Redhat Enterprise Linux Desktop.