CVE-2020-36773 - OpenCVE

Artifex Ghostscript before 9.53.0 has an out-of-bounds write and use-after-free in devices/vector/gdevtxtw.c (for txtwrite) because a single character code in a PDF document can map to more than one Unicode code point (e.g., for a ligature).

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Artifex	Ghostscript

Configuration 1 [-]

OR	cpe:2.3:a:artifex:ghostscript:9.51:::::::*
	cpe:2.3:a:artifex:ghostscript:9.52:::::::*
	cpe:2.3:a:artifex:ghostscript:9.52.1:::::::*
	cpe:2.3:a:artifex:ghostscript:9.53.0:rc1::::::
	cpe:2.3:a:artifex:ghostscript:9.53.0:rc2::::::

No data.

References

Link	Providers
https://bugs.ghostscript.com/show_bug.cgi?id=702229
https://bugzilla.opensuse.org/show_bug.cgi?id=1177922
https://git.ghostscript.com/?p=ghostpdl.git%3Ba=commit%3Bh=8c7bd787defa071c96289b7da9397f673fddb874
https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/tag/gs9530
https://nvd.nist.gov/vuln/detail/CVE-2020-36773
https://www.cve.org/CVERecord?id=CVE-2020-36773

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-02-04T00:00:00

Updated: 2024-08-04T17:37:07.276Z

Reserved: 2024-02-04T00:00:00

Link: CVE-2020-36773

Vulnrichment

Updated: 2024-08-04T17:37:07.276Z

NVD

Status : Analyzed

Published: 2024-02-04T18:16:00.713

Modified: 2024-03-04T23:04:23.720

Link: CVE-2020-36773

Redhat

Severity : Important

Publid Date: 2024-02-04T00:00:00Z

Links: CVE-2020-36773 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2020-36773", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-04T17:37:07.276Z", "dateReserved": "2024-02-04T00:00:00", "datePublished": "2024-02-04T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-02-04T17:23:56.159554"}, "descriptions": [{"lang": "en", "value": "Artifex Ghostscript before 9.53.0 has an out-of-bounds write and use-after-free in devices/vector/gdevtxtw.c (for txtwrite) because a single character code in a PDF document can map to more than one Unicode code point (e.g., for a ligature)."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://bugs.ghostscript.com/show_bug.cgi?id=702229"}, {"url": "https://git.ghostscript.com/?p=ghostpdl.git%3Ba=commit%3Bh=8c7bd787defa071c96289b7da9397f673fddb874"}, {"url": "https://bugzilla.opensuse.org/show_bug.cgi?id=1177922"}, {"url": "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/tag/gs9530"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2020-36773", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-05T15:56:53.734454Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T17:22:52.474Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T17:37:07.276Z"}, "title": "CVE Program Container", "references": [{"url": "https://bugs.ghostscript.com/show_bug.cgi?id=702229", "tags": ["x_transferred"]}, {"url": "https://git.ghostscript.com/?p=ghostpdl.git%3Ba=commit%3Bh=8c7bd787defa071c96289b7da9397f673fddb874", "tags": ["x_transferred"]}, {"url": "https://bugzilla.opensuse.org/show_bug.cgi?id=1177922", "tags": ["x_transferred"]}, {"url": "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/tag/gs9530", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://bugs.ghostscript.com/show_bug.cgi?id=702229", "tags": ["x_transferred"]}, {"url": "https://git.ghostscript.com/?p=ghostpdl.git%3Ba=commit%3Bh=8c7bd787defa071c96289b7da9397f673fddb874", "tags": ["x_transferred"]}, {"url": "https://bugzilla.opensuse.org/show_bug.cgi?id=1177922", "tags": ["x_transferred"]}, {"url": "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/tag/gs9530", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T17:37:07.276Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2020-36773", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-05T15:56:53.734454Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T15:20:44.239Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://bugs.ghostscript.com/show_bug.cgi?id=702229"}, {"url": "https://git.ghostscript.com/?p=ghostpdl.git%3Ba=commit%3Bh=8c7bd787defa071c96289b7da9397f673fddb874"}, {"url": "https://bugzilla.opensuse.org/show_bug.cgi?id=1177922"}, {"url": "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/tag/gs9530"}], "descriptions": [{"lang": "en", "value": "Artifex Ghostscript before 9.53.0 has an out-of-bounds write and use-after-free in devices/vector/gdevtxtw.c (for txtwrite) because a single character code in a PDF document can map to more than one Unicode code point (e.g., for a ligature)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-02-04T17:23:56.159554"}}}, "cveMetadata": {"cveId": "CVE-2020-36773", "state": "PUBLISHED", "dateUpdated": "2024-08-04T17:37:07.276Z", "dateReserved": "2024-02-04T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-02-04T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:artifex:ghostscript:9.51:*:*:*:*:*:*:*", "matchCriteriaId": "C18E63CE-B2D5-44A2-89E0-B2C6A3554D79", "vulnerable": true}, {"criteria": "cpe:2.3:a:artifex:ghostscript:9.52:*:*:*:*:*:*:*", "matchCriteriaId": "BF20A2FF-98ED-45EF-9263-D915D7A1953D", "vulnerable": true}, {"criteria": "cpe:2.3:a:artifex:ghostscript:9.52.1:*:*:*:*:*:*:*", "matchCriteriaId": "FCA9F31F-F4B8-43E6-A747-BDC189BADD05", "vulnerable": true}, {"criteria": "cpe:2.3:a:artifex:ghostscript:9.53.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "E6FE7E73-AE7B-42D4-8E83-17249CC9F46A", "vulnerable": true}, {"criteria": "cpe:2.3:a:artifex:ghostscript:9.53.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "AC033F01-8AF9-4B10-9789-35255739A232", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Artifex Ghostscript before 9.53.0 has an out-of-bounds write and use-after-free in devices/vector/gdevtxtw.c (for txtwrite) because a single character code in a PDF document can map to more than one Unicode code point (e.g., for a ligature)."}, {"lang": "es", "value": "Artifex Ghostscript anterior a 9.53.0 tiene una escritura y un use-after-free fuera de los l\u00edmites en devices/vector/gdevtxtw.c (para txtwrite) porque un c\u00f3digo de un solo car\u00e1cter en un documento PDF se puede asignar a m\u00e1s de un punto de c\u00f3digo Unicode. (por ejemplo, para una ligadura)."}], "id": "CVE-2020-36773", "lastModified": "2024-03-04T23:04:23.720", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-04T18:16:00.713", "references": [{"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch"], "url": "https://bugs.ghostscript.com/show_bug.cgi?id=702229"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking"], "url": "https://bugzilla.opensuse.org/show_bug.cgi?id=1177922"}, {"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "https://git.ghostscript.com/?p=ghostpdl.git%3Ba=commit%3Bh=8c7bd787defa071c96289b7da9397f673fddb874"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/tag/gs9530"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}, {"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "Ghostscript: out-of-bounds write and use-after-free in devices/vector/gdevtxtw.c (for txtwrite)", "id": "2262734", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2262734"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "(CWE-416|CWE-787)", "details": ["Artifex Ghostscript before 9.53.0 has an out-of-bounds write and use-after-free in devices/vector/gdevtxtw.c (for txtwrite) because a single character code in a PDF document can map to more than one Unicode code point (e.g., for a ligature).", "An out-of-bounds write, and a use-after-free flaw was found in Ghostscript. The flaw is present in devices/vector/gdevtxtw.c, for txtwrite, due to a single character code in a PDF document that can map to more than one Unicode code point (for example, a ligature)."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2020-36773", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "ghostscript", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "ghostscript", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "ghostscript", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "gimp:flatpak/ghostscript", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "ghostscript", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-02-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-36773\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-36773\nhttps://bugs.ghostscript.com/show_bug.cgi?id=702229\nhttps://bugzilla.opensuse.org/show_bug.cgi?id=1177922\nhttps://git.ghostscript.com/?p=ghostpdl.git%3Ba=commit%3Bh=8c7bd787defa071c96289b7da9397f673fddb874\nhttps://github.com/ArtifexSoftware/ghostpdl-downloads/releases/tag/gs9530"], "statement": "The identified vulnerability in Ghostscript introduced in version 9.50 and FIxed in 9.53.0, this represents a important security issue due to its potential for exploitation by malicious actors. The out-of-bounds write and use-after-free flaws in the txtwrite module can be leveraged to execute arbitrary code or trigger denial-of-service attacks, compromising the integrity, confidentiality, and availability of systems where Ghostscript is deployed. Given the widespread use of Ghostscript in handling PDF documents across various platforms and applications, the vulnerability poses a significant risk to users' data and infrastructure.\nRed Hat Enterprise Linux is Not affected by this vulnerability.", "threat_severity": "Important"}