{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-29510", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-19T07:47:53.603Z", "dateReserved": "2024-03-19T00:00:00", "datePublished": "2024-07-03T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-07-03T18:26:31.334443"}, "descriptions": [{"lang": "en", "value": "Artifex Ghostscript before 10.03.1 allows memory corruption, and SAFER sandbox bypass, via format string injection with a uniprint device."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://bugs.ghostscript.com/show_bug.cgi?id=707662"}, {"url": "https://www.openwall.com/lists/oss-security/2024/07/03/7"}, {"url": "https://codeanlabs.com/blog/research/cve-2024-29510-ghostscript-format-string-exploitation/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-693", "lang": "en", "description": "CWE-693 Protection Mechanism Failure"}]}], "affected": [{"vendor": "ghostscript", "product": "ghostscript", "cpes": ["cpe:2.3:a:ghostscript:ghostscript:0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "10.03.0", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-07-10T00:00:00+00:00", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2024-29510"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-30T03:55:31.945Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-19T07:47:53.603Z"}, "title": "CVE Program Container", "references": [{"url": "https://bugs.ghostscript.com/show_bug.cgi?id=707662", "tags": ["x_transferred"]}, {"url": "https://www.openwall.com/lists/oss-security/2024/07/03/7", "tags": ["x_transferred"]}, {"url": "https://codeanlabs.com/blog/research/cve-2024-29510-ghostscript-format-string-exploitation/", "tags": ["x_transferred"]}, {"url": "https://www.vicarius.io/vsociety/posts/critical-vulnerability-in-ghostscript-cve-2024-29510"}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://bugs.ghostscript.com/show_bug.cgi?id=707662", "tags": ["x_transferred"]}, {"url": "https://www.openwall.com/lists/oss-security/2024/07/03/7", "tags": ["x_transferred"]}, {"url": "https://codeanlabs.com/blog/research/cve-2024-29510-ghostscript-format-string-exploitation/", "tags": ["x_transferred"]}, {"url": "https://www.vicarius.io/vsociety/posts/critical-vulnerability-in-ghostscript-cve-2024-29510"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-19T07:47:53.603Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-29510", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-08T13:49:45.881449Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:ghostscript:ghostscript:0:*:*:*:*:*:*:*"], "vendor": "ghostscript", "product": "ghostscript", "versions": [{"status": "affected", "version": "0", "lessThan": "10.03.0", "versionType": "custom"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-693", "description": "CWE-693 Protection Mechanism Failure"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-08T13:39:57.806Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://bugs.ghostscript.com/show_bug.cgi?id=707662"}, {"url": "https://www.openwall.com/lists/oss-security/2024/07/03/7"}, {"url": "https://codeanlabs.com/blog/research/cve-2024-29510-ghostscript-format-string-exploitation/"}], "descriptions": [{"lang": "en", "value": "Artifex Ghostscript before 10.03.1 allows memory corruption, and SAFER sandbox bypass, via format string injection with a uniprint device."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-07-03T18:26:31.334443"}}}, "cveMetadata": {"cveId": "CVE-2024-29510", "state": "PUBLISHED", "dateUpdated": "2024-08-19T07:47:53.603Z", "dateReserved": "2024-03-19T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-07-03T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:artifex:ghostscript:*:*:*:*:*:*:*:*", "matchCriteriaId": "62DFF97A-B408-4992-940C-5AEAFCB69A99", "versionEndExcluding": "10.03.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Artifex Ghostscript before 10.03.1 allows memory corruption, and SAFER sandbox bypass, via format string injection with a uniprint device."}, {"lang": "es", "value": "Artifex Ghostscript anterior a 10.03.1 permite la corrupci\u00f3n de la memoria y una omisi\u00f3n M\u00c1S SEGURA de la sandbox mediante la inyecci\u00f3n de cadena de formato con un dispositivo uniprint."}], "id": "CVE-2024-29510", "lastModified": "2025-04-28T17:12:24.787", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 4.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-07-03T19:15:03.320", "references": [{"source": "cve@mitre.org", "tags": ["Issue Tracking"], "url": "https://bugs.ghostscript.com/show_bug.cgi?id=707662"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://codeanlabs.com/blog/research/cve-2024-29510-ghostscript-format-string-exploitation/"}, {"source": "cve@mitre.org", "tags": ["Mailing List"], "url": "https://www.openwall.com/lists/oss-security/2024/07/03/7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://bugs.ghostscript.com/show_bug.cgi?id=707662"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://codeanlabs.com/blog/research/cve-2024-29510-ghostscript-format-string-exploitation/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "https://www.openwall.com/lists/oss-security/2024/07/03/7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.vicarius.io/vsociety/posts/critical-vulnerability-in-ghostscript-cve-2024-29510"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-693"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:6197", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "ghostscript-0:9.54.0-17.el9_4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-09-03T00:00:00Z"}, {"advisory": "RHSA-2024:6466", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "ghostscript-0:9.54.0-12.el9_2.2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-09-09T00:00:00Z"}], "bugzilla": {"description": "ghostscript: format string injection leads to shell command execution (SAFER bypass)", "id": "2293950", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2293950"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-20", "details": ["Artifex Ghostscript before 10.03.1 allows memory corruption, and SAFER sandbox bypass, via format string injection with a uniprint device.", "A flaw in Ghostscript has been identified where the uniprint device allows users to pass various string fragments as device options. These strings, particularly upWriteComponentCommands and upYMoveCommand, are treated as format strings for gp_fprintf and gs_snprintf. This lack of restriction permits arbitrary format strings with multiple specifiers, potentially leading to data leakage from the stack and memory corruption. In RHEL 9 or newer, an attacker could exploit this vulnerability to temporarily disable Ghostscript\u2019s SAFER mode, which prevents Postscript code from executing commands or opening arbitrary files during the current invocation."], "mitigation": {"lang": "en:us", "value": "Passing the -dSAFER safety argument on the command line prevents the issue by locking security-related variables after Ghostscript's initialization. In RHEL 9, -dSAFER is enabled by default, ensuring that insecure commands are rejected in a safer environment. The versions of Ghostscript in RHEL 7 and RHEL 8 have an older implementation of SAFER mode that is not enabled by default, but can be enabled by passing -dSAFER on the command line when invoking Ghostscript. This older SAFER mode implementation denies Postscript code the ability to change the output device, and therefore prevents malicious Postscript code from selecting the uniprint output device in order to exploit the format string vulnerabilities in its upWriteComponentCommands and upYMoveCommand parameters. On RHEL 7 and RHEL 8, we recommend always passing -dSAFER on the command line, and avoiding manually selecting the uniprint output device on the command line."}, "name": "CVE-2024-29510", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "ghostscript", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "ghostscript", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "ghostscript", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "ghostscript", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "gimp:flatpak/ghostscript", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2024-05-16T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-29510\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-29510"], "threat_severity": "Moderate"}