Vulnerability Details : CVE-2014-0466
The fixps script in a2ps 4.14 does not use the -dSAFER option when executing gs, which allows context-dependent attackers to delete arbitrary files or execute arbitrary commands via a crafted PostScript file.
Products affected by CVE-2014-0466
- cpe:2.3:a:gnu:a2ps:4.14:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-0466
0.41%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 59 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-0466
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST |
References for CVE-2014-0466
-
http://www.securityfocus.com/bid/66660
GNU a2ps CVE-2014-0466 Arbitrary Command Execution Vulnerability
-
http://www.debian.org/security/2014/dsa-2892
Debian -- Security Information -- DSA-2892-1 a2ps
-
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742902
#742902 - a2ps: CVE-2014-0466: does not invoke gs with -dSAFER - Debian Bug report logs
-
http://lists.opensuse.org/opensuse-updates/2014-04/msg00021.html
openSUSE-SU-2014:0499-1: moderate: a2ps: fixed commandinjection in fixps
-
https://security.gentoo.org/glsa/201701-67
a2ps: Arbitrary code execution (GLSA 201701-67) — Gentoo security
Jump to