Incorrect Use of Privileged APIs

CVE-2019-3838

Medium

5.5/10

Summary

It was found that the forceput operator could be extracted from the DefineResource method in ghostscript before 9.27. A specially crafted PostScript file could use this flaw in order to, for example, have access to the file system outside of the constrains imposed by -dSAFER.

Attack Complexity: LOW
Attack Vector: LOCAL
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: REQUIRED
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-648 - Incorrect Use of Privileged APIs

The application does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.

References

Advisory Timeline

Published Mar 25, 2019

Incorrect Use of Privileged APIs

CVE-2019-3838

Summary

CWE-648 - Incorrect Use of Privileged APIs

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS