CVE-2020-15900

A memory corruption issue was found in Artifex Ghostscript 9.50 and 9.52. Use of a non-standard PostScript operator can allow overriding of file access controls. The 'rsearch' calculation for the 'post' size resulted in a size that was too large, and could underflow to max uint32_t. This was fixed in commit 5d499272b95a6b890a1397e11d20937de000d31b.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://git.ghostscript.com/?p=ghostpdl.git%3Ba=log
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00004.html	Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00006.html	Mailing List Third Party Advisory
https://artifex.com/security-advisories/CVE-2020-15900	Vendor Advisory
https://git.ghostscript.com/?p=ghostpdl.git%3Ba=commitdiff%3Bh=5d499272b95a6b890a1397e11d20937de000d31b
https://github.com/ArtifexSoftware/ghostpdl/commit/5d499272b95a6b890a1397e11d20937de000d31b	Patch Third Party Advisory
https://github.com/ArtifexSoftware/ghostpdl/commits/master/psi/zstring.c	Patch Third Party Advisory
https://security.gentoo.org/glsa/202008-20	Third Party Advisory
https://usn.ubuntu.com/4445-1/	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:artifex:ghostscript:9.50:::::::*
	cpe:2.3:a:artifex:ghostscript:9.52:::::::*

Configuration 2 (hide)

cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*

Configuration 3 (hide)

OR	cpe:2.3:o:opensuse:leap:15.1:::::::*
	cpe:2.3:o:opensuse:leap:15.2:::::::*

History

No history.

Information

Published : 2020-07-28 16:15

Updated : 2023-11-07 03:17

NVD link : CVE-2020-15900

Mitre link : CVE-2020-15900

CVE.ORG link : CVE-2020-15900

JSON object : View

Products Affected

artifex

ghostscript

canonical

ubuntu_linux

opensuse

leap

CWE

CWE-191

Integer Underflow (Wrap or Wraparound)

CWE-787

Out-of-bounds Write

{"id": "CVE-2020-15900", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2020-07-28T16:15:12.840", "references": [{"url": "http://git.ghostscript.com/?p=ghostpdl.git%3Ba=log", "source": "cve@mitre.org"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00004.html", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00006.html", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://artifex.com/security-advisories/CVE-2020-15900", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://git.ghostscript.com/?p=ghostpdl.git%3Ba=commitdiff%3Bh=5d499272b95a6b890a1397e11d20937de000d31b", "source": "cve@mitre.org"}, {"url": "https://github.com/ArtifexSoftware/ghostpdl/commit/5d499272b95a6b890a1397e11d20937de000d31b", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/ArtifexSoftware/ghostpdl/commits/master/psi/zstring.c", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://security.gentoo.org/glsa/202008-20", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://usn.ubuntu.com/4445-1/", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-191"}, {"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "A memory corruption issue was found in Artifex Ghostscript 9.50 and 9.52. Use of a non-standard PostScript operator can allow overriding of file access controls. The 'rsearch' calculation for the 'post' size resulted in a size that was too large, and could underflow to max uint32_t. This was fixed in commit 5d499272b95a6b890a1397e11d20937de000d31b."}, {"lang": "es", "value": "Se encontr\u00f3 un problema de corrupci\u00f3n de memoria en Artifex Ghostscript versiones 9.50 y 9.52. El uso de un operador PostScript no est\u00e1ndar puede permitir la anulaci\u00f3n de los controles de acceso de archivos. El c\u00e1lculo de \"rsearch\" para el tama\u00f1o de \"post\" result\u00f3 en un tama\u00f1o que era demasiado grande y podr\u00eda llegar a un m\u00e1ximo de uint32_t. Esto se corrigi\u00f3 en commit 5d499272b95a6b890a1397e11d20937de000d31b"}], "lastModified": "2023-11-07T03:17:56.597", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:artifex:ghostscript:9.50:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "089333A5-72AA-4E68-8A8E-81876AAC9DD3"}, {"criteria": "cpe:2.3:a:artifex:ghostscript:9.52:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BF20A2FF-98ED-45EF-9263-D915D7A1953D"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*", "vulnerable": true, "matchCriteriaId": "902B8056-9E37-443B-8905-8AA93E2447FB"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493"}, {"criteria": "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B009C22E-30A4-4288-BCF6-C3E81DEAF45A"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}

9.8 /10