CVE-2023-36664 Published on: Not Yet Published Last Modified on: 09/17/2023 07:15:00 AM UTC CVE-2023-36664 Source: Mitre Source: NIST CVE. A security vulnerability has been identified in Artifex Ghostscript, which is used for file rendering and conversion. 04 LTS; USN-6495-1: Linux kernel vulnerabilities › 21 November 2023. (This is fixed in, for example, Shibboleth Service. Are you sure you wish to delete this message from the message archives of yocto-security@lists. This vulnerability has been attributed a sky-high CVSS score of 9. Also I reported this on Mx-linux forum and was banned. Assigner: Microsoft Corporation. pypdf is an open source, pure-python PDF library. 4 # Tested with Ghostscript version 10. Solution Update the affected ghostscript package. 01. CVE-2023-36664: Artifex Ghostscript through 10. Severity: Critical. com Mon Jul 10 13:58:55 UTC 2023. TOTAL CVE Records: 217028 NOTICE: Transition to the all-new CVE website at WWW. Wiz Research discovered #CVE-2023-2640 and #CVE-2023-32629, two easy-to-exploit privilege escalation vulnerabilities in the OverlayFS module in #Ubuntu affecting 40% of Ubuntu cloud workloads. December 16, 2021: Apache. CVE-2023-0950 Array Index UnderFlow in Calc Formula Parsing. 2. NOTICE: Legacy CVE List download formats will be phased out beginning January 1, 2024. CVE. For those unacquainted with the backstage of software utilities, Ghostscript is the unsung hero of the PostScript and PDF world. We also display any CVSS information provided within the CVE List from the CNA. MLIST: [oss-security] 20221011 CVE-2022-40664: Apache Shiro: Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher. Aside from that all we get regarding the vulnerability is what happens if it is exploited. 10. Package Release Status; nettleCVE - CVE-2023-36164. Max Base ScoreCVE - CVE-2023-31664. This patch also addresses CVE-2023-32002 CVE-2023-32003 CVE-2023-32004 CVE-2023-32006 CVE-2023-32558 CVE-2023-32559. 3. Announced: June 19, 2023. 2-1. ghostscript: fix CVE-2023-36664. 2, which is the latest available version. ghostscript. Susanne. Alma Linux: CVE-2023-36664: Important: ghostscript security update (ALSA-2023-5459) Free InsightVM Trial No Credit Card Necessary. Full Changelog. Keywords: Status: CLOSED ERRATA Alias: CVE-2023-36664 Product: Security Response Classification: Other Component: vulnerability Sub Component: Version: unspecified Hardware: All. The OCB feature in libnettle in Nettle 3. 1. No known source code Dependabot alerts are not supported on this advisory because it does not have a package. 03/09/2023 Source: VulDB. (Last updated October 08, 2023) . by do son · August 14, 2023 A proof-of-concept (PoC) exploit code has been made available for the recently disclosed critical security flaw, tracked as CVE-2023-36664, affecting the. 2 release fixes CVE-2023-36664. Important CVE JSON 5 Information. (select "Other" from dropdown)redhat-upgrade-libgs. Let's conquer challenges together in the realms of CyberSec, TryHackMe, HTB, and more! Connect with me and let's explore the. 19 when executing the GregorianCalender. Related. 9-HF2 and below, 6. The Common Vulnerabilities and Exposures (CVE) system is used to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. Description. CVE-ID; CVE-2023-25664: Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information. CVE-2020-36664 Detail Description . This vulnerability CVE-2023-36664 was assigned a CVSS score of 9. TOTAL CVE Records: 217168 NOTICE: Transition to the all-new CVE website at WWW. These vulnerabilities are specific to the Siemens RUGGEDCOM ROX product and are not present on LoadMaster. Alma Linux: CVE-2023-36664: Important: ghostscript security update (ALSA-2023-5459). 4. A type confusion vulnerability exists in the Javascript checkThisBox method as implemented in Foxit Reader 12. The advisory is shared at bugs. CVE-2023-36664: N/A: N/A: Not Vulnerable. 13. 1R18. 6. 3 # Injects code into a PS or EPS file that is triggered when opened with Ghostscript version prior to 10. Microsoft WordPad Information Disclosure Vulnerability. New CVE List download format is available now. The software does not properly handle permission validation for pipe devices, which could. Fixed a security vulnerability regarding Ghostscript (CVE-2023-36664). 7. org Gentoo Linux Security Advisory 202309-3 - Multiple vulnerabilities have been discovered in GPL. Security issue in PowerFactory licence component (CVE-2023-3935) Latest information about CVE-2023-36664 (Proof-of-Concept Exploit in Ghostscript) in context UT for ArcGIS; UT for ArcGIS R3 Desktop Build 6705; UT for ArcGIS R3 Server Build 6705; UT for ArcGIS R3 Server Build 6604; UT for ArcGIS R3 Desktop Build 6604; UT CBYD 10. Changes in percentiles are ignored as they change everyday, because a change in a single EPSS score affects every other EPSS percentile. 8). Fixed a security vulnerability regarding OpenSSL (CVE-2023-1255). New CVE List download format is available now. This is an unauthenticated RCE (remote code execution), which means an attacker can run arbitrary code on your ADC without authentication. Description "protobuf. View records in the new format using the CVE ID lookup above or download them on the Downloads page. The remote Ubuntu 20. CVE-2023-36661 at MITRE. April 3, 2023: Ghostscript/GhostPDL 10. Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation) Impact: Processing web content may lead to arbitrary code execution. On June 25, 2023, a vulnerability was disclosed in Ghostscript CVE-2023-36664 prior to the 10. 55 leads to HTTP Request Smuggling vulnerability. 2. New CVE List download format is available now. Updated to Ghostscript 10. 01. 8. 0-12] - fix for CVE-2023-36664 - Resolves: rhbz#2217810. CVE-2022-3140 Macro URL arbitrary script execution. ORG and CVE Record Format JSON are underway. md","contentType":"file"}],"totalCount":1. 8. 8. CVE-2023-36884 is a RCE vulnerability in Microsoft Windows and Office that was assigned a CVSSv3 score of 8. After getting the . 7. 01. - Outcome of the update: SUCCESSFUL - DSM version prior update: DSM 7. CVE-2023-31124, CVE-2023-31130, CVE-2023-31147, CVE-2023-32067. CVE-2023-36664: Description: Artifex Ghostscript through 10. 01. 36. 4. 3. Please note that we will be transitioning to a new site on August 31, 2023, where we will post the vulnerability reports. 0 for release, although there hasn’t been any. Provide training and support on CVE assessments and scoring and ensure consistency across different CNAs. 8 (Accepted) Ubuntu Archive Robot ubuntu-archive-robot at lists. Security fixes for SAP NetWeaver based products are also. Summary: CVE-2023-36664 ghostscript: vulnerable to OS command injection due to mishand. 0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the. A vulnerability in the web-based management interface of Cisco Prime Infrastructure Software could allow an unauthenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface on an affected device. Ghostscript command injection vulnerability PoC (CVE-2023-36664) General Vulnerability disclosed in Ghostscript prior to version 10. 【訳】人気のオープンソースPDFライブラリGhostscriptにクリティカルなRCEが見つかる 【概要】 公開日 登録日 CVE番号 NVD ベンダー CVSS v3 CWE 脆弱性 備考 2023/07/12 2023/06/25 CVE-2023-36664 NVD ベンダー - - - 【ニュース】 Critical RCE. 6/7. 13. Usage. Artifex Ghostscript through 10. 2-64570 Update 3CVE-2023-36753 CVE-2023-36752 CVE-2023-36751 CVE-2023-36750: N/A: N/A: Not Vulnerable. Artifex Ghostscript through 10. New CVE List download format is available now. 2. Immich - Self-hosted photos and videos backup solution from your mobile phone (AKA Google Photos replacement you have been waiting for!) - October 2023 Update - Support for external libraries, map view on mobile app, video transcoding with hardware. Several security issues were fixed in the Linux kernel. 2. OS OS Version Package Name Package Version; Debian: 12: ghostscript: 10. Apache Calcite Avatica JDBC driver creates HTTP client instances based on class names provided via `connection property; however, the driver does not verify if the class implements the expected interface before instantiating it, which can lead to code execution loaded via arbitrary classes and in rare. 0 metrics NOTE: The following CVSS v3. It was found that although the root cause of the crash is an old issue, a recent fix for a rare issue in the C2 compiler (JDK-8297951) made the crash much more likely. yoctoproject. Important. Die Schwachstelle mit der CVE-Nummer CVE-2023-36664 und einer CVSS-Bewertung von 9. Fixed a security vulnerability regarding OpenSSL (CVE-2023-1255). 01. 7. may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE. CVE-2022-36664 Detail Description Password Manager for IIS 2. 0, there is a buffer overflow leading to potential corruption of data internal to the PostScript interpreter, in base/sbcp. 8), in the widely used (for PostScript and PDF displays) GhostScript software. Description: LibreOffice supports embedded databases in its odb file format. For further information, see CVE-2023-0975. pypdf is an open source, pure-python PDF library. April 4, 2022: Ghostscript/GhostPDL 9. Release/Architecture: Filename: MD5sum: Superseded By Advisory: Channel Label: Oracle Linux 9 (aarch64) ghostscript-9. The bug, known as CVE-2023-36664, was present until the recent release of Ghostscript version 10. dll ResultURL parameter. Version: 7. 2 mishandles permission validation for pipe devices (with the %pipe% prefix or the | pipe character prefix). computeTime () method (JDK-8307683). CVE-2023-28879: In Artifex Ghostscript through 10. Your Synology NAS may not notify you of this DSM update because of the following reasons. Fixed a security vulnerability regarding Sudo (CVE-2023-22809). 2. The NVD will only audit a subset of scores provided by this CNA. Nitro Pro v14. Vulnerability report for Ghostscript (CVE-2023-36664) older versions offered with CorelDRAW Graphics Suite and CorelDRAW Technical Suite 2 users found this article helpful . GHSA-9gf6-5j7x-x3m9. Status of this issue by product and package. To dig deeper into the technical aspects, refer to CVE-2023-36664 in the Common Vulnerabilities and Exposures (CVE) database. 12 serves as a replacement for Red Hat Fuse 7. 👻 . Ghostscript has a critical RCE vulnerability: the CVE-2023-36664. Easy-to-Use RESTful API. 1, there is a heap buffer overflow in. The latest update to the Fusion scan engine that powers our internal and external vulnerability scanning is now. CVE. An attacker could exploit. 01. Full Changelog. New CVE List download format is available now. Go to for: CVSS Scores CPE Info CVE List. CVE-2023-36563 Detail Description . dll ResultURL parameter. We also display any CVSS information provided within the CVE List from the CNA. 01. (CVE-2023-36664) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. Upstream information. 0~dfsg-11+deb12u1. 13. 2 due to a critical security flaw in lower versions. The NVD will only audit a subset of scores provided by this CNA. Account. 6+, a specially crafted HTTP request may cause an authentication bypass. 34 installer revision 2 Fix security issues in Ghostscript (CVE-2023-36664), OpenSSL (#9397 and more fixed in 3. Issues addressed include a code execution vulnerability. Susanne. 01. NOTICE: Transition to the all-new CVE website at WWW. canonical. Sicherheitslücke in Ghostscript (CVE-2023-36664; BSI Warnung vom 14. 01. Get product support and knowledge from the open source experts. dll ResultURL parameter. The most common reason for this is that publicly available information does not provide sufficient. Version: 7. The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. This vulnerability has been attributed a sky-high CVSS score of 9. 38. We all heard about #ghostscript command execution CVE-2023-36664 👾 Now a PoC and Exploit have been developed at #vsociety by Ákos Jakab 🚀 Check it out: Along with. CVE Dictionary Entry: CVE-2021-3664 NVD Published Date: 07/26/2021 NVD Last Modified: 02/22/2023 Source: huntr. CVE-2023-36664 Artifex Ghostscript through 10. Fixed a security vulnerability regarding Sudo (CVE-2023-22809). CVE 2023 25690 Proof of concept - mod_proxy vulnerable configuration on Apache HTTP Server versions 2. 1 # @jakabakos 2 # Exploit script for CVE-2023-36664 3 # Injects code into a PS or EPS file that is triggered when opened with Ghostscript version prior to 10. This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities. Jul, 21 2023. 01. 0-14. 06 annually. 01. 01. ORG Print: PDF Certain versions of Ghostscript from Artifex contain the following vulnerability: Artifex Ghostscript through 10. ORG and CVE Record Format JSON are underway. ArgoCD: JWT audience claim is not verified (CVE-2023-22482) For more details about the security issue (s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE. 12 serves as a replacement for Red Hat Fuse 7. 2 mishandles permission validationVertiGIS uses this page to provide centralized information about the critical vulnerability CVE-2023-36664, known as "Proof-of-Concept Exploit in Ghostscript", disclosed on 11. eps file, send the file to dr. x Severity and Metrics: NIST: NVD. Thank you very Much. Almost invisibly embedded in hundreds of software suites and. See breakdown. 01. md","path":"README. 0. CVE-2023-36664: Resolved: Upgrade to v13. Security Fix (es): hazelcast: Hazelcast connection caching (CVE-2022-36437)Product(s) Source package State; Products under general support and receiving all security fixes. A type confusion vulnerability exists in the Javascript checkThisBox method as implemented in Foxit Reader 12. 15332. Welcome to the new CVE Beta website! CVE Records have a new and enhanced format. Today is Microsoft's July 2023 Patch Tuesday, with security updates for 132 flaws, including six actively exploited and thirty-seven remote code execution vulnerabilities. MLIST: [oss-security] 20220728 CVE-2022-36364: Apache Calcite Avatica JDBC driver `connection property can be used as an RCE vector. It arises from a specific function in Ghostscript: “gp_file_name_reduce()“, a seemingly benign component that takes multiple paths, combines them, and simplifies them by removing relative path references. As of July 11, 2023 (patch day), another 0-day vulnerability (CVE-2023-36884) has become public, which allows remote code execution in Microsoft Windows and Office. Report As Exploited in the Wild. A vulnerability has been found in Artesãos SEOTools up to 0. If you install Windows security updates released in June. Juli 2023 wurde zu einer kritischen Schwachstelle in der Open-Source PDF Bibliothek Ghostscript ein Proof-of-Concept Exploit veröffentlicht [KRO2023]. This vulnerability affects the function setTitle of the file SEOMeta. 0, there is a buffer overflow lea. 2-64570 Update 3 CVE-2023-36753 CVE-2023-36752 CVE-2023-36751 CVE-2023-36750: N/A: N/A: Not Vulnerable. July, 2023, and its impact on VertiGIS product families as well as partner products. The most common reason for this is that publicly available information does not provide sufficient detail or that information simply was not available at the time the CVSS vector string was assigned. CVE-2022-3140 Macro URL arbitrary script execution. Addressed in LibreOffice 7. NOTICE: Legacy CVE List download formats will be phased out beginning January 1, 2024. Fixed a security vulnerability regarding Ghostscript (CVE-2023-36664). 8. In affected versions an attacker may craft a PDF which leads to an infinite loop if `__parse_content_stream` is executed. A Type Confusion vulnerability was found in the Spotlight RPC functions in afpd in Netatalk 3. Lightweight Endpoint Agent; Live Dashboards; Real Risk Prioritization; IT-Integrated Remediation Projects; Cloud, Virtual, and Container Assessment; Integrated Threat Feeds;CVE-2023-36664 affects all Ghostscript/GhostPDL versions prior to 10. This vulnerability CVE-2023-36664 was assigned a CVSS score of 9. 11. 10. Published: 2023-06-25. 8 import os. CVE-2023-43115: Updated Packages. Updated : 2023-03-09 21:02. 11, 1. The mission of the CVE® Program is to identify, define, and catalog. This allows the user to elevate their permissions. 2 mishandles permission validation for pipe devices (with the %pipe% prefix or the. Roxio: Die Windows-Speicherintegritätsfunktion kann nicht aktiviert werden, da bestimmte Roxio-Gerätetreiber nicht kompatibel sind. This vulnerability affects the function setTitle of the file SEOMeta. 01. 2 mishandles permission validation for pipe devices (with the %pipe% prefix or the | pipe character prefix). 8. 04 ; Ubuntu 22. 01. - Artifex Ghostscript through 10. 01. Sniper B1 (Rev 1. Home > CVE > CVE-2023-31664. This could have led to malicious websites storing tracking data. 13. Fixed a security vulnerability regarding Ghostscript (CVE-2023-36664). 0. Red Hat Product Security has rated this update as having a security impact of Important. Artifex Ghostscript vulnerability CVE-2023-36664. 8 HIGH. It introduces new checks for PostgreSQL, Microsoft Azure SQL Database, and DynamoDB. Follow the watchTowr Labs Team. New features. jaikishantulswani opened this issue Aug 17, 2023 · 0 comments Comments. CVE-2023-36664 affects all Ghostscript/GhostPDL versions prior to 10. Version: 7. exe file on the target computer. 01. 54. 70. We also display any CVSS information provided within the CVE List from the CNA. CVE-ID; CVE-2023-36764: Learn more at National Vulnerability Database (NVD)NVD Analysts use publicly available information to associate vector strings and CVSS scores. Dieser Artikel wird aktualisiert, sobald neue Informationen verfügbar sind. Modified on 2023-08-08. 1-8. CVE-ID; CVE-2023-36434: Learn more at National Vulnerability Database (NVD)01:49 PM. 1. 2. 01. CVE-2023-36664 Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE. 2 due to a critical security flaw in lower versions. - Artifex Ghostscript through 10. For example: nc -l -p 1234. 01. 01. 2 version that allows for remote code execution. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available. NOTICE: Transition to the all-new CVE website at WWW. 2 through 5. 7. CVE-2023-36464 Detail Description . The Common Vulnerabilities and Exposures (CVE) system is used to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. 0. CVE reports. Public on 2023-06-25. 1 and classified as problematic. 17. The software mishandles permission validation for pipe devices (with the %pipe% prefix or the | pipe character prefix). Die Schwachstelle mit der CVE-Nummer CVE-2023-36664 und einer CVSS-Bewertung von 9. Hi Jana, the GIMP devs have not released a patch for this issue yet, but I imagine it’s been added to the list. Microsoft Exchange Server Remote Code Execution Vulnerability. 1. Note: The CNA providing a score has achieved an Acceptance Level of Provider. If you want. el9_2 0. NOTICE: Legacy CVE List download formats will be phased out beginning January 1, 2024. 01. (CVE-2023-36664) Note that Nessus has. GIMP for Windows. It arose from Ghostscript's handling of filenames for output, which could be manipulated to send the output into a pipe rather than a regular file. These vulnerabilities are specific to the Siemens RUGGEDCOM ROX product and are not present on LoadMaster. For more. 2 release fixes CVE-2023-36664. View JSON . To dig deeper into the technical aspects, refer to CVE-2023-36664 in the Common Vulnerabilities and Exposures (CVE) database. CVE-2023-48365. Your Synology NAS may not notify you of this DSM update because of the following reasons. CVE-2022-23121. CVSS. 2, the most recent release. 9. When. A vulnerability in the request authentication validation for the REST API of Cisco SD-WAN vManage software could allow an unauthenticated, remote attacker to gain read permissions or limited write permissions to the configuration of an affected Cisco SD-WAN vManage instance. CVSS v3. This patch also addresses CVE-2023-28319 CVE-2023-28320 CVE-2023-28321 CVE-2023-28322. Pulse Secure Installer Service: Upgrade to the 9. jakabakos / CVE-2023-36664-Ghostscript-command-injection Public. Legacy CVE List download formats will be phased out beginning January 1, 2024 New CVE List download format is. Base Score: 7. 2 mishandles permission validation for pipe devices (with the %pipe% prefix or the. 01. A high-severity vulnerability in Ghostscript tagged as CVE-2023-36664 could allow an attacker to take over a routine and even execute commands on systems. Ensure CNAs have access to CVE Program infrastructure for CVE ID reservation and record publication. The vulnerability, identified by the CVE-2023-27269. CVE-2023-36664 has not been enriched. We also display any CVSS information provided within the CVE List from the CNA. Description. CVE-2023-2255 Remote documents loaded without prompt via IFrame. 13]Missing StorageProfile defaults for IBM and AWS EFS CSI provisionersThe Citrix Security Response team will work with Citrix internal product development teams to address the issue. CVE-2023-36563. Artifex Software is pleased to report that a recently disclosed security vulnerability in Ghostscript has been resolved. Your Synology NAS may not notify you of this DSM update because of the following reasons. 1 und Oracle 19cReferences. 1. 19 when executing the GregorianCalender. A security issue rated high has been found in Ghostscript (CVE-2023-36664). Read The Complete Article at:We also display any CVSS information provided within the CVE List from the CNA. libjpeg-turbo: Fix CVE-2023-2804. It is awaiting reanalysis which may result in further changes to the information provided. Note: NVD Analysts have published a CVSS score for this CVE based on publicly available information at the time of analysis. Qlik Sense Enterprise for Windows before August 2023 Patch 2 allows unauthenticated remote code execution, aka QB-21683. Version: 7. Information is rather scarce for this vulnerability, Microsoft lists that exploitation is "more likely", which indicates there is a significant risk.