Vulnerability CVE-2021-3781: Information

Description

A trivial sandbox (enabled with the `-dSAFER` option) escape flaw was found in the ghostscript interpreter by injecting a specially crafted pipe command. This flaw allows a specially crafted document to execute arbitrary commands on the system in the context of the ghostscript interpreter. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

Severity: CRITICAL (9.9) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2021-3781
Published: Feb. 16, 2022
Modified: June 26, 2023
Error type identifier: CWE-78

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
ghostscriptsisyphus9.54.0-alt310.01.1-alt2ALT-PU-2021-2772-1285041Fixed
ghostscriptsisyphus_e2k10.01.1-alt110.01.1-alt2ALT-PU-2023-3235-1-Fixed
ghostscriptsisyphus_riscv6410.01.1-alt110.01.1-alt2ALT-PU-2023-3202-1-Fixed
ghostscriptp109.54.0-alt310.01.1-alt2ALT-PU-2021-2808-1285079Fixed
ghostscriptp10_e2k10.01.1-alt110.01.1-alt2ALT-PU-2023-3834-1-Fixed
ghostscriptc10f19.54.0-alt39.54.0-alt3ALT-PU-2021-2808-1285079Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://bugzilla.redhat.com/show_bug.cgi?id=2002271
  • Issue Tracking
  • Patch
  • Third Party Advisory
https://ghostscript.com/CVE-2021-3781.html
  • Patch
  • Vendor Advisory
GLSA-202211-11
  • Third Party Advisory

    1. Configuration 1

      cpe:2.3:a:artifex:ghostscript:9.52:*:*:*:*:*:*:*
      cpe:2.3:a:artifex:ghostscript:9.50:*:*:*:*:*:*:*
      cpe:2.3:a:artifex:ghostscript:9.53.3:*:*:*:*:*:*:*
      cpe:2.3:a:artifex:ghostscript:9.54.0:*:*:*:*:*:*:*

      Configuration 2

      cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
Version: v24.4.2
Back to top