What is CVE-2023-43115?

CVE-2023-43115 is a vulnerability in Artifex Ghostscript through 10.01.2.

How severe is CVE-2023-43115?

CVE-2023-43115 has a severity rating of 9.8 (critical).

How does CVE-2023-43115 lead to remote code execution?

CVE-2023-43115 allows remote code execution via crafted PostScript documents by switching to the IJS device after SAFER has been activated.

How can I check if my version of Ghostscript is affected?

If you are using Artifex Ghostscript version up to and including 10.01.2, your version is affected.

Is there a fix for CVE-2023-43115?

Yes, updating Artifex Ghostscript to a version higher than 10.01.2 will fix the vulnerability.

Vulnerability/
CVE-2023-43115

critical

9.8

18/9/2023

22/2/2024

CVE-2023-43115

First published: Mon Sep 18 2023(Updated: )

In Artifex Ghostscript through 10.01.2, gdevijs.c in GhostPDL can lead to remote code execution via crafted PostScript documents because they can switch to the IJS device, or change the IjsServer parameter, after SAFER has been activated. NOTE: it is a documented risk that the IJS server can be specified on a gs command line (the IJS device inherently must execute a command to start the IJS server).

Credit: cve@mitre.org cve@mitre.org

Affected Software	Affected Version	How to fix
debian/ghostscript	<=9.27~dfsg-2+deb10u5<=9.27~dfsg-2+deb10u9<=9.53.3~dfsg-7+deb11u5<=10.0.0~dfsg-11+deb12u1	9.53.3~dfsg-7+deb11u6 10.0.0~dfsg-11+deb12u2 10.02.0~dfsg-2
Artifex Ghostscript	<=10.01.2
ubuntu/ghostscript	<10.02.0~dfsg-1<10.02.0	10.02.0~dfsg-1 10.02.0
ubuntu/ghostscript	<9.50~dfsg-5ubuntu4.11	9.50~dfsg-5ubuntu4.11
ubuntu/ghostscript	<9.55.0~dfsg1-0ubuntu5.5	9.55.0~dfsg1-0ubuntu5.5
ubuntu/ghostscript	<10.0.0~dfsg1-0ubuntu1.4	10.0.0~dfsg1-0ubuntu1.4
ubuntu/ghostscript	<10.01.2~dfsg1-0ubuntu2.1	10.01.2~dfsg1-0ubuntu2.1
Fedoraproject Fedora	=38
Fedoraproject Fedora	=39

Remedy

https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e59216049cac290fb437a04c4f41ea46826cfba5

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

USN-6433-1

Frequently Asked Questions

What is CVE-2023-43115?
CVE-2023-43115 is a vulnerability in Artifex Ghostscript through 10.01.2.
How severe is CVE-2023-43115?
CVE-2023-43115 has a severity rating of 9.8 (critical).
How does CVE-2023-43115 lead to remote code execution?
CVE-2023-43115 allows remote code execution via crafted PostScript documents by switching to the IJS device after SAFER has been activated.
How can I check if my version of Ghostscript is affected?
If you are using Artifex Ghostscript version up to and including 10.01.2, your version is affected.
Is there a fix for CVE-2023-43115?
Yes, updating Artifex Ghostscript to a version higher than 10.01.2 will fix the vulnerability.

collector/launchpad-cve
collector/security-tracker-debian
collector/nvd-index
collector/usn-cve
agent/author
agent/type
agent/first-publish-date
agent/event
agent/remedy
agent/description
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2023-43115
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/references
agent/severity
agent/last-modified-date
agent/softwarecombine
agent/tags
agent/trending
package-manager/debian
vendor/artifex
canonical/artifex ghostscript
version/artifex ghostscript/10.01.2
package-manager/ubuntu
vendor/fedoraproject
canonical/fedoraproject fedora
version/fedoraproject fedora/38
version/fedoraproject fedora/39