CVE-2024-29509 - Vulnerability Details - OpenCVE

Description

Artifex Ghostscript before 10.03.0 has a heap-based overflow when PDFPassword (e.g., for runpdf) has a \000 byte in the middle.

Published: 2024-07-03

Score: 8.8 High

EPSS: 2.1% Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

cpe:2.3:a:artifex:ghostscript:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-5760-1	ghostscript security update
EUVD	EUVD-2024-26512	Artifex Ghostscript before 10.03.0 has a heap-based overflow when PDFPassword (e.g., for runpdf) has a \000 byte in the middle.
Ubuntu USN	USN-6897-1	Ghostscript vulnerabilities

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0215.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://bugs.ghostscript.com/show_bug.cgi?id=707510
https://git.ghostscript.com/?p=ghostpdl.git%3Bh=917b3a71fb20748965254631199ad98210d6c2fb
https://nvd.nist.gov/vuln/detail/CVE-2024-29509
https://www.cve.org/CVERecord?id=CVE-2024-29509
https://www.openwall.com/lists/oss-security/2024/07/03/7

History

Thu, 20 Mar 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Subscriptions

Artifex Ghostscript

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-07-03T00:00:00.000Z

Updated: 2025-03-20T19:06:20.794Z

Reserved: 2024-03-19T00:00:00.000Z

Link: CVE-2024-29509

Vulnrichment

Updated: 2024-08-02T01:10:55.454Z

NVD

Status : Modified

Published: 2024-07-03T18:15:04.973

Modified: 2025-03-20T19:15:28.703

Link: CVE-2024-29509

Redhat

Severity : Moderate

Publid Date: 2024-07-03T00:00:00Z

Links: CVE-2024-29509 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-29509", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-03-20T19:06:20.794Z", "dateReserved": "2024-03-19T00:00:00.000Z", "datePublished": "2024-07-03T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-07-03T18:04:03.716Z"}, "descriptions": [{"lang": "en", "value": "Artifex Ghostscript before 10.03.0 has a heap-based overflow when PDFPassword (e.g., for runpdf) has a \\000 byte in the middle."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://bugs.ghostscript.com/show_bug.cgi?id=707510"}, {"url": "https://git.ghostscript.com/?p=ghostpdl.git%3Bh=917b3a71fb20748965254631199ad98210d6c2fb"}, {"url": "https://www.openwall.com/lists/oss-security/2024/07/03/7"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-787", "lang": "en", "description": "CWE-787 Out-of-bounds Write"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-07-22T16:36:26.547373Z", "id": "CVE-2024-29509", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-20T19:06:20.794Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:10:55.454Z"}, "title": "CVE Program Container", "references": [{"url": "https://bugs.ghostscript.com/show_bug.cgi?id=707510", "tags": ["x_transferred"]}, {"url": "https://git.ghostscript.com/?p=ghostpdl.git%3Bh=917b3a71fb20748965254631199ad98210d6c2fb", "tags": ["x_transferred"]}, {"url": "https://www.openwall.com/lists/oss-security/2024/07/03/7", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://bugs.ghostscript.com/show_bug.cgi?id=707510", "tags": ["x_transferred"]}, {"url": "https://git.ghostscript.com/?p=ghostpdl.git%3Bh=917b3a71fb20748965254631199ad98210d6c2fb", "tags": ["x_transferred"]}, {"url": "https://www.openwall.com/lists/oss-security/2024/07/03/7", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:10:55.454Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-29509", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-22T16:36:26.547373Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-22T16:36:33.423Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://bugs.ghostscript.com/show_bug.cgi?id=707510"}, {"url": "https://git.ghostscript.com/?p=ghostpdl.git%3Bh=917b3a71fb20748965254631199ad98210d6c2fb"}, {"url": "https://www.openwall.com/lists/oss-security/2024/07/03/7"}], "descriptions": [{"lang": "en", "value": "Artifex Ghostscript before 10.03.0 has a heap-based overflow when PDFPassword (e.g., for runpdf) has a \\000 byte in the middle."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-07-03T18:04:03.716Z"}}}, "cveMetadata": {"cveId": "CVE-2024-29509", "state": "PUBLISHED", "dateUpdated": "2025-03-20T19:06:20.794Z", "dateReserved": "2024-03-19T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-07-03T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:artifex:ghostscript:*:*:*:*:*:*:*:*", "matchCriteriaId": "C94A899E-28C1-4FC0-B645-B5BE7AB34082", "versionEndExcluding": "10.03.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Artifex Ghostscript before 10.03.0 has a heap-based overflow when PDFPassword (e.g., for runpdf) has a \\000 byte in the middle."}, {"lang": "es", "value": "Artifex Ghostscript anterior a 10.03.0 tiene un desbordamiento basado en mont\u00f3n cuando PDFPassword (por ejemplo, para runpdf) tiene un byte \\000 en el medio."}], "id": "CVE-2024-29509", "lastModified": "2025-03-20T19:15:28.703", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-07-03T18:15:04.973", "references": [{"source": "cve@mitre.org", "tags": ["Issue Tracking"], "url": "https://bugs.ghostscript.com/show_bug.cgi?id=707510"}, {"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "https://git.ghostscript.com/?p=ghostpdl.git%3Bh=917b3a71fb20748965254631199ad98210d6c2fb"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://www.openwall.com/lists/oss-security/2024/07/03/7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://bugs.ghostscript.com/show_bug.cgi?id=707510"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "https://git.ghostscript.com/?p=ghostpdl.git%3Bh=917b3a71fb20748965254631199ad98210d6c2fb"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://www.openwall.com/lists/oss-security/2024/07/03/7"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "ghostscript: heap buffer overflow via the PDFPassword parameter", "id": "2295628", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2295628"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", "status": "draft"}, "cwe": "CWE-122", "details": ["Artifex Ghostscript before 10.03.0 has a heap-based overflow when PDFPassword (e.g., for runpdf) has a \\000 byte in the middle.", "A flaw was found in Ghostscript. The `runpdf` command allowed the new C-based PDF interpreter to be invoked from within PS. With this, it can pass various flags and arguments (for example, see `pdf_impl_set_param`) normally passed via the command line when the PDF interpreter is invoked directly. Because PS-strings are not null-terminated, this issue will result in a heap buffer overflow when a value of `PDFPassword` is supplied with a NULL byte in the middle."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-29509", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "ghostscript", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "ghostscript", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "ghostscript", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "ghostscript", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "gimp:flatpak/ghostscript", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "ghostscript", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-07-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-29509\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-29509\nhttps://bugs.ghostscript.com/show_bug.cgi?id=707510\nhttps://git.ghostscript.com/?p=ghostpdl.git%3Bh=917b3a71fb20748965254631199ad98210d6c2fb\nhttps://www.openwall.com/lists/oss-security/2024/07/03/7"], "statement": "This vulnerability in Ghostscript, while serious, is considered moderate rather than important due to several mitigating factors. First, exploitation requires specific conditions, including the ability to supply a crafted PS file with a malicious PDFPassword containing a NULL byte. This restricts the attack surface primarily to scenarios where untrusted PS files are processed. Additionally, the issue does not directly lead to remote code execution or privilege escalation without further exploitation techniques. Instead, it results in a heap buffer overflow, which can be challenging to exploit reliably due to modern memory protection mechanisms.", "threat_severity": "Moderate"}