Vulnerability DatabaseCVE-2023-43115

CVE-2023-43115:
Ghostscript vulnerability analysis and mitigation

Overview

CVE-2023-43115 affects Artifex Ghostscript through version 10.01.2. The vulnerability exists in the gdevijs.c component of GhostPDL, which can lead to remote code execution through crafted PostScript documents by switching to the IJS device or changing the IjsServer parameter after SAFER has been activated (NVD, Ghostscript).

Technical details

The vulnerability has a CVSS v3.1 base score of 8.8 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The issue stems from the IJS device's inherent need to execute commands to start the IJS server, which is a documented risk when the IJS server is specified on a gs command line (NVD).

Impact

The vulnerability allows attackers to achieve remote code execution through specially crafted PostScript documents. This can lead to high impacts on confidentiality, integrity, and availability of the affected systems (NVD).

Mitigation and workarounds

The vulnerability has been fixed in Ghostscript/GhostPDL version 10.02.0. Due to the remote code execution risk, it is strongly recommended to upgrade to version 10.02.0 or later as a matter of urgency (Ghostscript).

Community reactions

Multiple Linux distributions have released security updates to address this vulnerability, including Fedora 38 and 39, which have updated their packages to include the fix (Fedora Mailing List).

Additional resources

Source: This report was generated using AI

8.8

Score

Published September 18, 2023

Severity HIGH

CNA Score N/A

Affected Technologies

Ghostscript
Alma Linux

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 95.6

Exploitation Probability (EPSS) 23

Sources

AlmaLinux Security Advisory
- AlmaLinux 9 Severity HIGHHas FixAdded at: Nov 05, 2023
Alpine Security Tracker
- Alpine 3.2, 3.3, 3.4, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18 Severity HIGHHas FixAdded at: Nov 06, 2023
- Alpine 3.19 Severity HIGHHas FixAdded at: Dec 10, 2023
- Alpine 3.20 Severity HIGHHas FixAdded at: May 26, 2024
- Alpine 3.21 Severity HIGHHas FixAdded at: Dec 08, 2024
- Alpine 3.22 Severity HIGHHas FixAdded at: Jun 01, 2025
- Alpine edge Severity HIGHHas FixAdded at: Nov 02, 2023
Anaconda
- Anaconda Severity HIGHNo FixAdded at: Jan 21, 2025
Chainguard
- Chainguard Has FixAdded at: Oct 03, 2023
Debian Security Tracker
- Debian 11, 12, 13 Severity HIGHHas FixAdded at: Sep 19, 2023
Homebrew
- Homebrew Severity HIGHNo FixAdded at: Feb 12, 2024
Nix
- Nix Severity HIGHNo FixAdded at: Oct 10, 2023
Red Hat Errata
- Red Hat 6 Severity HIGHNo FixAdded at: Oct 02, 2023
- Red Hat 9 Severity HIGHHas FixAdded at: Oct 02, 2023
Ubuntu Security Tracker
- Ubuntu 20.04, 22.04, 23.04 Severity MEDIUMHas FixAdded at: Oct 03, 2023
- Ubuntu 23.10 Severity MEDIUMHas FixAdded at: Oct 31, 2023
Wolfi
- Wolfi Has FixAdded at: Oct 03, 2023
NVD
- Linux Severity HIGHHas FixAdded at: Sep 24, 2023
- Windows Severity HIGHHas FixAdded at: Sep 20, 2023