CVE-2024-46954: 
Ghostscript vulnerability analysis and mitigation

CVE-2024-46954 is a directory traversal vulnerability discovered in Artifex Ghostscript versions before 10.04.0. The vulnerability exists in the decode_utf8 function within base/gp_utf8.c, where overlong UTF-8 encoding can be exploited to perform directory traversal attacks (NVD, CVE).

The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue stems from improper handling of overlong UTF-8 encodings in the decode_utf8 function, which could be exploited to bypass directory restrictions. The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (NVD).

If exploited, this vulnerability could allow an attacker to perform directory traversal attacks, potentially accessing unauthorized filesystem directories. The high CVSS score indicates significant potential impacts on confidentiality, integrity, and availability of the affected system (NVD).

The vulnerability has been fixed in Ghostscript version 10.04.0. The fix includes additional checks to forbid overlong encodings that could be used by malicious code to escape directories. Users are advised to upgrade to version 10.04.0 or later (Ghostscript News).