CVE-2023-43115

In Artifex Ghostscript through 10.01.2, gdevijs.c in GhostPDL can lead to remote code execution via crafted PostScript documents because they can switch to the IJS device, or change the IjsServer parameter, after SAFER has been activated. NOTE: it is a documented risk that the IJS server can be specified on a gs command line (the IJS device inherently must execute a command to start the IJS server).

Published: Sep 18, 2023
Updated: May 10, 2024
CVE: CVE-2023-43115
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
artifex / ghostscript	-	10.01.2.x
fedoraproject / fedora	38	38.x
fedoraproject / fedora	39	39.x

https://bugs.ghostscript.com/show_bug.cgi?id=707051
https://ghostscript.com/
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e59216049cac290fb437a04c4f41ea46826cfba5
https://git.ghostscript.com/?p=ghostpdl.git%3Ba=commit%3Bh=e59216049cac290fb437a04c4f41ea46826cfba5
https://lists.fedoraproject.org/archives/list/[email protected]/message/IK3UXJ5HKMPAL5EQELJAWSRPA2AUOJJO/
https://lists.fedoraproject.org/archives/list/[email protected]/message/PG5AQV7JOL5TAU76FWPJCMSKO5DREKV5/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IK3UXJ5HKMPAL5EQELJAWSRPA2AUOJJO/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PG5AQV7JOL5TAU76FWPJCMSKO5DREKV5/

Vulnerability Database

289,599

CVE-2023-43115