CVE-2018-19477 — HIGH (7.8)

Q: What is CVE-2018-19477?

CVE-2018-19477 is a vulnerability with a CVSS score of 7.8 (HIGH). psi/zfjbig2.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because of a JBIG2Decode type confusion.

Q: How severe is CVE-2018-19477?

CVE-2018-19477 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-19477?

Check the references section above for vendor advisories and patch information. Affected products include: Artifex Ghostscript, Debian Debian Linux, Canonical Ubuntu Linux, Redhat Openshift Container Platform, Redhat Enterprise Linux Desktop.

Vulnerability Description

psi/zfjbig2.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because of a JBIG2Decode type confusion.

CVSS Score

7.8

HIGH

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Artifex	Ghostscript	< 9.26
Debian	Debian Linux	8.0
Canonical	Ubuntu Linux	14.04
Redhat	Openshift Container Platform	3.11
Redhat	Enterprise Linux Desktop	7.0
Redhat	Enterprise Linux Server	7.0
Redhat	Enterprise Linux Server Aus	7.6
Redhat	Enterprise Linux Server Eus	7.6
Redhat	Enterprise Linux Server Tus	7.6
Redhat	Enterprise Linux Workstation	7.0

Related Weaknesses (CWE)

CWE-704

References

http://git.ghostscript.com/?p=ghostpdl.git%3Ba=commit%3Bh=ef252e7dc214bcbd9a2539
http://git.ghostscript.com/?p=ghostpdl.git%3Bh=606a22e77e7f081781e99e44644cd0119
http://www.securityfocus.com/bid/106154Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHBA-2019:0327Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0229Third Party Advisory
https://bugs.ghostscript.com/show_bug.cgi?id=700168Issue TrackingPatchVendor Advisory
https://lists.debian.org/debian-lts-announce/2018/11/msg00036.htmlMailing ListThird Party Advisory
https://semmle.com/news/semmle-discovers-severe-vulnerability-ghostscript-postscExploitMitigationThird Party Advisory
https://usn.ubuntu.com/3831-1/Third Party Advisory
https://www.debian.org/security/2018/dsa-4346Third Party Advisory
https://www.ghostscript.com/doc/9.26/History9.htm#Version9.26Release NotesVendor Advisory
http://git.ghostscript.com/?p=ghostpdl.git%3Ba=commit%3Bh=ef252e7dc214bcbd9a2539
http://git.ghostscript.com/?p=ghostpdl.git%3Bh=606a22e77e7f081781e99e44644cd0119
http://www.securityfocus.com/bid/106154Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHBA-2019:0327Third Party Advisory

FAQ

What is CVE-2018-19477?

CVE-2018-19477 is a vulnerability with a CVSS score of 7.8 (HIGH). psi/zfjbig2.c in Artifex Ghostscript before 9.26 allows remote attackers to bypass intended access restrictions because of a JBIG2Decode type confusion.

How severe is CVE-2018-19477?

CVE-2018-19477 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-19477?

Check the references section above for vendor advisories and patch information. Affected products include: Artifex Ghostscript, Debian Debian Linux, Canonical Ubuntu Linux, Redhat Openshift Container Platform, Redhat Enterprise Linux Desktop.