Opened 3 years ago
Closed 3 years ago
#15517 closed defect (fixed)
New public ghostscript vulnerability.
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | high | Milestone: | 11.1 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
Today debian announced they have patched ghostscript for CVE-2021-3781. a new 0-day which has been exploited for some time, and public for a few days. In particular, it can be exploited via ImageMagick's convert program if that can be used to convert uploaded files to a different format.
Upstream bug report now public at https://bugs.ghostscript.com/show_bug.cgi?id=704342 - this applies to all versions from 9.50 onwards.
Change History (1)
comment:1 by , 3 years ago
| Priority: | elevated → high |
|---|---|
| Resolution: | → fixed |
| Status: | assigned → closed |
Note:
See TracTickets
for help on using tickets.
Fixed at @f429481684a2d6f5ce95d6dcb313e50ba9c46186 SA 11.0-005.
Since there is a public PoC and the related vulnerability was used to gain bug bounties, I've rated this as critical.