Opened 5 weeks ago

Closed 5 weeks ago

#15517 closed defect (fixed)

New public ghostscript vulnerability.

Reported by: ken@… Owned by: ken@…
Priority: high Milestone: 11.1
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

Today debian announced they have patched ghostscript for CVE-2021-3781. a new 0-day which has been exploited for some time, and public for a few days. In particular, it can be exploited via ImageMagick's convert program if that can be used to convert uploaded files to a different format.

Upstream bug report now public at https://bugs.ghostscript.com/show_bug.cgi?id=704342 - this applies to all versions from 9.50 onwards.

Change History (1)

comment:1 by ken@…, 5 weeks ago

Priority: elevatedhigh
Resolution: fixed
Status: assignedclosed

Fixed at @f429481684a2d6f5ce95d6dcb313e50ba9c46186 SA 11.0-005.

Since there is a public PoC and the related vulnerability was used to gain bug bounties, I've rated this as critical.

Note: See TracTickets for help on using tickets.