Blog

CVE-2024-29511 – Abusing Ghostscript’s OCR device

An arbitrary file read/write vulnerability in Ghostscript ≤ 10.02.1 which enables attackers to read/write arbitrary files on the complete filesystem including outside of the -dSAFER sandbox.

CVE-2024-29511 has significant impact on web-applications and other services offering document conversion and preview functionalities as these often use Ghostscript under the hood. We recommend verifying whether your solution (indirectly) makes use of Ghostscript and if so, update it to the latest version.

CVE-2024-29510 – Exploiting Ghostscript using format strings

A format string vulnerability in Ghostscript ≤ 10.03.0 which enables attackers to gain Remote Code Execution (#RCE) while also bypassing sandbox protections.

CVE-2024-29510 has significant impact on web-applications and other services offering document conversion and preview functionalities as these often use Ghostscript under the hood. We recommend verifying whether your solution (indirectly) makes use of Ghostscript and if so, update it to the latest version!

CVE-2024-4367 – Arbitrary JavaScript execution in PDF.js

A vulnerability in PDF.js found by Codean Labs. PDF.js is a JavaScript-based PDF viewer maintained by Mozilla. This bug allows an attacker to execute arbitrary JavaScript code as soon as a malicious PDF file is opened. This affects all Firefox users (<126) because PDF.js is used by Firefox to show PDF files, but also seriously impacts many web- and Electron-based applications that (indirectly) use PDF.js for preview functionality.

Vulnerability write-up: “Dangerous assumptions”

Vulnerabilities emerge if software developers rely too much on the security of external components like open source libraries. A customer project led us into a rabbit hole finding multiple issues in third-party packages, resulting in critical vulnerabilities in our client’s final product. Together with DIVD we disclosed the findings to the open source communities, which resulted in fixes and 6 CVEs, found by our security experts Thomas Rinsma and Kevin Valk.

We are here for you