CVE-2024-33870 in Ghostscript
Summary
by MITRE • 07/03/2024
An issue was discovered in Artifex Ghostscript before 10.03.1. There is path traversal (via a crafted PostScript document) to arbitrary files if the current directory is in the permitted paths. For example, there can be a transformation of ../../foo to ./../../foo and this will grant access if ./ is permitted.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/08/2025
The vulnerability identified as CVE-2024-33870 represents a critical path traversal flaw within Artifex Ghostscript versions prior to 10.03.1. This security weakness stems from insufficient input validation when processing PostScript documents, specifically in how the software handles file path resolution during document rendering operations. The flaw allows malicious actors to exploit directory traversal techniques by crafting specially formatted PostScript files that can navigate beyond intended directory boundaries. The vulnerability manifests when the current working directory is included in the list of permitted paths, creating an avenue for unauthorized file access and potential system compromise.
The technical implementation of this vulnerability involves the improper handling of relative path components within PostScript file processing. When Ghostscript encounters a crafted document containing sequences like ../../foo, the software fails to properly sanitize or validate these path components before attempting file operations. This results in a transformation where the relative path ../../foo becomes ./../../foo, effectively allowing access to files outside the intended directory scope when the current directory is included in the permitted paths list. The vulnerability operates at the file system level, leveraging the underlying operating system's path resolution mechanisms rather than targeting the application's logic directly.
The operational impact of this vulnerability extends beyond simple file access, potentially enabling attackers to read sensitive system files, configuration data, or other restricted resources that should not be accessible through normal document processing operations. An attacker could craft malicious PostScript documents that, when processed by an affected Ghostscript instance, could expose system information, credentials, or other confidential data. The vulnerability is particularly concerning in environments where Ghostscript is used for document processing in untrusted contexts, such as web applications, email systems, or document conversion services where users can upload arbitrary files. This flaw can be exploited to perform reconnaissance activities, escalate privileges, or potentially lead to complete system compromise depending on the execution environment and file permissions.
Organizations should immediately update their Ghostscript installations to version 10.03.1 or later to remediate this vulnerability. System administrators should also implement additional protective measures such as restricting the current working directory in Ghostscript configurations and ensuring that only necessary directories are included in the permitted paths list. The vulnerability aligns with CWE-22 Path Traversal and falls under ATT&CK technique T1059 Command and Scripting Interpreter, specifically targeting the exploitation of file system access controls through crafted input. Additional mitigations include implementing proper input validation at the application level, restricting file system access permissions for Ghostscript processes, and monitoring for suspicious file access patterns that may indicate exploitation attempts. Organizations should also consider network-level controls to prevent unauthorized access to systems running vulnerable Ghostscript versions and ensure comprehensive testing of document processing workflows to validate the effectiveness of applied mitigations.