CVE-2024-29507 - Vulnerability Details - OpenCVE

Artifex Ghostscript before 10.03.0 sometimes has a stack-based buffer overflow via the CIDFSubstPath and CIDFSubstFont parameters.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00115.

Exploitation none

Automatable no

Technical Impact partial

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

cpe:2.3:a:artifex:ghostscript:*:*:*:*:*:*:*:*

No data.

No data.

Subscriptions

Vendors	Products
Artifex Subscribe	Ghostscript Subscribe

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-5760-1	ghostscript security update
Ubuntu USN	USN-6897-1	Ghostscript vulnerabilities

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://bugs.ghostscript.com/show_bug.cgi?id=707510
https://git.ghostscript.com/?p=ghostpdl.git%3Ba=commitdiff%3Bh=7745dbe24514
https://nvd.nist.gov/vuln/detail/CVE-2024-29507
https://www.cve.org/CVERecord?id=CVE-2024-29507
https://www.openwall.com/lists/oss-security/2024/07/03/7

History

Mon, 28 Apr 2025 17:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Artifex Artifex ghostscript
CPEs		cpe:2.3:a:artifex:ghostscript::::::::
Vendors & Products		Artifex Artifex ghostscript

Tue, 03 Dec 2024 16:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-120
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-07-03T00:00:00.000Z

Updated: 2024-12-03T15:41:47.471Z

Reserved: 2024-03-19T00:00:00.000Z

Link: CVE-2024-29507

Vulnrichment

Updated: 2024-08-02T01:10:55.452Z

NVD

Status : Analyzed

Published: 2024-07-03T19:15:03.240

Modified: 2025-04-28T17:12:33.127

Link: CVE-2024-29507

Redhat

Severity : Moderate

Publid Date: 2024-07-03T00:00:00Z

Links: CVE-2024-29507 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-29507", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-12-03T15:41:47.471Z", "dateReserved": "2024-03-19T00:00:00.000Z", "datePublished": "2024-07-03T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-07-03T18:27:37.439Z"}, "descriptions": [{"lang": "en", "value": "Artifex Ghostscript before 10.03.0 sometimes has a stack-based buffer overflow via the CIDFSubstPath and CIDFSubstFont parameters."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://bugs.ghostscript.com/show_bug.cgi?id=707510"}, {"url": "https://git.ghostscript.com/?p=ghostpdl.git%3Ba=commitdiff%3Bh=7745dbe24514"}, {"url": "https://www.openwall.com/lists/oss-security/2024/07/03/7"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-120", "lang": "en", "description": "CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-07-09T15:10:58.689777Z", "id": "CVE-2024-29507", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-12-03T15:41:47.471Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:10:55.452Z"}, "title": "CVE Program Container", "references": [{"url": "https://bugs.ghostscript.com/show_bug.cgi?id=707510", "tags": ["x_transferred"]}, {"url": "https://git.ghostscript.com/?p=ghostpdl.git%3Ba=commitdiff%3Bh=7745dbe24514", "tags": ["x_transferred"]}, {"url": "https://www.openwall.com/lists/oss-security/2024/07/03/7", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://bugs.ghostscript.com/show_bug.cgi?id=707510", "tags": ["x_transferred"]}, {"url": "https://git.ghostscript.com/?p=ghostpdl.git%3Ba=commitdiff%3Bh=7745dbe24514", "tags": ["x_transferred"]}, {"url": "https://www.openwall.com/lists/oss-security/2024/07/03/7", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:10:55.452Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-29507", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-09T15:10:58.689777Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-120", "description": "CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-09T15:11:27.290Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://bugs.ghostscript.com/show_bug.cgi?id=707510"}, {"url": "https://git.ghostscript.com/?p=ghostpdl.git%3Ba=commitdiff%3Bh=7745dbe24514"}, {"url": "https://www.openwall.com/lists/oss-security/2024/07/03/7"}], "descriptions": [{"lang": "en", "value": "Artifex Ghostscript before 10.03.0 sometimes has a stack-based buffer overflow via the CIDFSubstPath and CIDFSubstFont parameters."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-07-03T18:27:37.439701"}}}, "cveMetadata": {"cveId": "CVE-2024-29507", "state": "PUBLISHED", "dateUpdated": "2024-12-03T15:41:47.471Z", "dateReserved": "2024-03-19T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-07-03T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:artifex:ghostscript:*:*:*:*:*:*:*:*", "matchCriteriaId": "C94A899E-28C1-4FC0-B645-B5BE7AB34082", "versionEndExcluding": "10.03.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Artifex Ghostscript before 10.03.0 sometimes has a stack-based buffer overflow via the CIDFSubstPath and CIDFSubstFont parameters."}, {"lang": "es", "value": "Artifex Ghostscript anterior a 10.03.0 a veces tiene un desbordamiento del b\u00fafer basado en pila a trav\u00e9s de los par\u00e1metros CIDFSubstPath y CIDFSubstFont."}], "id": "CVE-2024-29507", "lastModified": "2025-04-28T17:12:33.127", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-07-03T19:15:03.240", "references": [{"source": "cve@mitre.org", "tags": ["Issue Tracking"], "url": "https://bugs.ghostscript.com/show_bug.cgi?id=707510"}, {"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "https://git.ghostscript.com/?p=ghostpdl.git%3Ba=commitdiff%3Bh=7745dbe24514"}, {"source": "cve@mitre.org", "tags": ["Mailing List"], "url": "https://www.openwall.com/lists/oss-security/2024/07/03/7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://bugs.ghostscript.com/show_bug.cgi?id=707510"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "https://git.ghostscript.com/?p=ghostpdl.git%3Ba=commitdiff%3Bh=7745dbe24514"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "https://www.openwall.com/lists/oss-security/2024/07/03/7"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-120"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "ghostscript: stack-based buffer overflow via the CIDFSubstPath and CIDFSubstFont parameters", "id": "2295647", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2295647"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "status": "draft"}, "cwe": "CWE-121", "details": ["Artifex Ghostscript before 10.03.0 sometimes has a stack-based buffer overflow via the CIDFSubstPath and CIDFSubstFont parameters.", "A flaw was found in Ghostscript. Under specific conditions, the `cidfsubstpath` and `cidfsubstfont` parameters set by corresponding Postscript objects are used to load substitute fonts in `pdfi_open_CIDFont_substitute_file`. The values are copied via `memcpy` into the `fontfname` buffer without bounds checks. This flaw allows an attacker to pass values larger than the buffer size to trigger a stack buffer overflow, leading to a denial of service or other unexpected behavior."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-29507", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "ghostscript", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "ghostscript", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "ghostscript", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "ghostscript", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "gimp:flatpak/ghostscript", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "ghostscript", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-07-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-29507\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-29507\nhttps://bugs.ghostscript.com/show_bug.cgi?id=707510\nhttps://git.ghostscript.com/?p=ghostpdl.git%3Ba=commitdiff%3Bh=7745dbe24514\nhttps://www.openwall.com/lists/oss-security/2024/07/03/7"], "statement": "The buffer overflow vulnerability in Ghostscript, while serious, is categorized as moderate severity due to its limited impact vector and exploitation complexity. The flaw involves unchecked copying of data into a buffer via memcpy when handling the cidfsubstpath and cidfsubstfont parameters. Although this can lead to a stack buffer overflow, resulting in potential denial of service or unexpected behavior, the exploitability is constrained by specific conditions under which the parameters must be set. Furthermore, successful exploitation requires the attacker to have control over the input parameters and the environment in which Ghostscript operates.", "threat_severity": "Moderate"}