Login Sign Up

CVE-2023-36664

7.8 HIGH

📋 TL;DR

CVE-2023-36664 is a security bypass vulnerability in Artifex Ghostscript that allows arbitrary command execution through improper permission validation for pipe devices. Attackers can exploit this by crafting malicious PostScript files that use pipe device prefixes to execute system commands. This affects all systems running vulnerable Ghostscript versions that process untrusted PostScript files.

💻 Affected Systems

Products:
  • Artifex Ghostscript
Versions: All versions through 10.01.2
Operating Systems: Linux, Windows, macOS, Unix-like systems
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability is present in default configurations when Ghostscript processes files with pipe device syntax. Systems using Ghostscript for PDF/PostScript rendering in web applications, document converters, or printing services are particularly at risk.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Ghostscript by Artifex

View all CVEs affecting Ghostscript →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with remote code execution as the Ghostscript process user, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Local privilege escalation or arbitrary command execution when processing malicious PostScript files, potentially leading to data exfiltration or further system compromise.

🟢

If Mitigated

Limited impact if Ghostscript runs in sandboxed environments with minimal privileges and only processes trusted files.

🌐 Internet-Facing: MEDIUM - Exploitation requires Ghostscript to process attacker-controlled files, which could occur through web applications, document processing services, or file upload features.
🏢 Internal Only: MEDIUM - Internal users could exploit this through document processing workflows, shared file systems, or by tricking users into opening malicious files.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires the ability to supply malicious PostScript files to Ghostscript. Proof-of-concept examples are available in the bug reports. The vulnerability is straightforward to exploit once an attacker can control input to Ghostscript.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.02.0 and later

Vendor Advisory: https://bugs.ghostscript.com/show_bug.cgi?id=706761

Restart Required: No

Instructions:

1. Upgrade Ghostscript to version 10.02.0 or later. 2. For Linux systems: Use package manager (apt-get update && apt-get upgrade ghostscript, yum update ghostscript, etc.). 3. For Windows: Download and install the latest version from the official website. 4. For source installations: Download and compile the latest version from the Git repository.

🔧 Temporary Workarounds

Disable pipe devices via configuration

all

Configure Ghostscript to disable pipe devices by modifying the device permissions

Add '-dSAFER -dDELAYSAFER' to Ghostscript command line arguments
Set 'GS_DEVICES=' in environment to exclude pipe devices

Sandbox Ghostscript execution

linux

Run Ghostscript in a restricted environment with minimal privileges

Use Linux namespaces: unshare -r -m -p -f -U --mount-proc
Use Docker containers with limited capabilities
Use SELinux/AppArmor policies to restrict Ghostscript

🧯 If You Can't Patch

  • Implement strict input validation to reject PostScript files containing pipe device syntax (%pipe% or | prefixes)
  • Run Ghostscript as an unprivileged user with minimal filesystem access and network capabilities

🔍 How to Verify

Check if Vulnerable:

Check Ghostscript version: gs --version. If version is 10.01.2 or earlier, the system is vulnerable.

Check Version:

gs --version

Verify Fix Applied:

After patching, verify version is 10.02.0 or later with: gs --version. Test with a safe pipe device command to confirm restrictions.

📡 Detection & Monitoring

Log Indicators:

  • Ghostscript process spawning unexpected child processes
  • Error logs containing pipe device syntax
  • Unusual command execution patterns from Ghostscript processes

Network Indicators:

  • Ghostscript processes making unexpected network connections
  • Outbound connections from document processing systems to suspicious destinations

SIEM Query:

process_name:"gs" AND (command_line:"%pipe%" OR command_line:"|")

📊 Metadata

CVE ID: CVE-2023-36664
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-552
Published: June 25, 2023
Last Updated: December 5, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-36664, you might also want to check these:

CVE-2025-41240 10.0

This critical vulnerability allows unauthenticated remote attackers to access Kubernetes secrets via...

Same vulnerability type (CWE-552)
CVE-2024-56731 10.0

This vulnerability allows unprivileged users in Gogs to delete files in the .git directory, leading ...

Same vulnerability type (CWE-552)
CVE-2024-6209 10.0

This vulnerability allows attackers to access files without authorization in ABB ASPECT-Enterprise, ...

Same vulnerability type (CWE-552)