CVE-2018-15909

moderate-risk

Published 2018-08-27

In Artifex Ghostscript 9.23 before 2018-08-24, a type confusion using the .shfill operator could be used by attackers able to supply crafted PostScript files to crash the interpreter or potentially execute code.

Do I need to act?

2.3% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.8/10 High

LOCAL / LOW complexity

Affected Products (13)

Debian Linux

Ubuntu Linux

Ghostscript

Gpl Ghostscript

Enterprise Linux Desktop

Enterprise Linux Server

Enterprise Linux Server Aus

Enterprise Linux Server Eus

Enterprise Linux Server Tus

Enterprise Linux Workstation

Pulse Connect Secure

Affected Vendors

Debian Redhat Canonical Artifex Pulsesecure

References (20)

http://git.ghostscript.com/?p=ghostpdl.git%3Ba=commit%3Bh=0b6cd1918e1ec4ffd08740...

http://git.ghostscript.com/?p=ghostpdl.git%3Ba=commit%3Bh=e01e77a36cbb2e0277bc3a...

Third Party Advisory http://www.securityfocus.com/bid/105178

Third Party Advisory https://access.redhat.com/errata/RHSA-2018:3650

Patch https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101

Mailing List https://lists.debian.org/debian-lts-announce/2018/09/msg00015.html

Third Party Advisory https://security.gentoo.org/glsa/201811-12

https://support.f5.com/csp/article/K24803507?utm_source=f5support&amp%3Butm_medi...

Third Party Advisory https://usn.ubuntu.com/3768-1/

Patch https://www.kb.cert.org/vuls/id/332928