CVE-2024-29511: Artifex Ghostscript Path Traversal Flaw

CVE-2024-29511 Overview

CVE-2024-29511 is a directory traversal vulnerability affecting Artifex Ghostscript before version 10.03.1 when Tesseract is used for OCR (Optical Character Recognition). The flaw allows attackers to read arbitrary files on the system and write error messages to arbitrary file locations by manipulating the OCRLanguage parameter. Exploitation can leverage parameters such as debug_file and user_patterns_file to access sensitive system files like /etc/passwd.

Critical Impact

This vulnerability enables unauthorized file access across the filesystem, potentially exposing sensitive configuration files, credentials, and system data through crafted OCR requests.

Affected Products

• Artifex Ghostscript versions prior to 10.03.1
• Systems using Ghostscript with Tesseract OCR integration
• Document processing pipelines and print servers leveraging Ghostscript

Discovery Timeline

• 2024-07-03 - CVE-2024-29511 published to NVD
• 2025-04-28 - Last updated in NVD database

Technical Details for CVE-2024-29511

Vulnerability Analysis

This directory traversal vulnerability exists in Artifex Ghostscript's integration with the Tesseract OCR engine. When processing documents that require optical character recognition, Ghostscript passes configuration parameters to Tesseract, including language files and debug output paths. The vulnerability stems from insufficient validation of the OCRLanguage parameter, which allows path traversal sequences to escape the intended directory structure.

Attackers can exploit this flaw through two primary mechanisms: reading arbitrary files by pointing user_patterns_file to sensitive system files, and writing error messages to arbitrary locations using the debug_file parameter. For example, an attacker could specify user_patterns_file /etc/passwd to read the system password file, or use debug_file /tmp/out to write data to controlled locations.

The vulnerability is classified under CWE-489 (Active Debug Code), as the debug functionality provides the pathway for exploitation. The network-based attack vector means any service that processes untrusted documents using Ghostscript with Tesseract OCR enabled is potentially vulnerable.

Root Cause

The root cause lies in the improper sanitization of file path parameters passed to the Tesseract OCR subsystem. The OCRLanguage parameter and related configuration options do not properly validate or restrict path components, allowing relative path traversal sequences (e.g., ../) and absolute paths to reach files outside the intended OCR data directories. This represents a failure to apply proper input validation and path canonicalization before using user-controlled values in file system operations.

Attack Vector

The attack can be executed remotely by crafting a malicious document designed for OCR processing. When Ghostscript processes this document with Tesseract integration enabled, the attacker-controlled parameters are passed directly to file system operations without adequate sanitization.

An attacker would typically craft a PostScript or PDF document that triggers OCR processing with manipulated configuration parameters. By setting debug_file to a writable location such as /tmp/out and user_patterns_file to a target file like /etc/passwd, the attacker can exfiltrate file contents through error messages or debug output. The exploitation requires no authentication and can be triggered through any document processing workflow that uses the vulnerable Ghostscript configuration.

For detailed exploitation techniques and proof-of-concept information, refer to the Ghostscript Bug Report #707510 and the Openwall OSS Security Mailing List disclosure.

Detection Methods for CVE-2024-29511

Indicators of Compromise

• Ghostscript process accessing files outside standard OCR data directories such as /etc/, /root/, or user home directories
• Unusual file read operations targeting sensitive configuration files like /etc/passwd, /etc/shadow, or application configuration files
• Debug output files appearing in unexpected locations such as /tmp/ or world-writable directories
• Ghostscript logs showing OCRLanguage parameters containing path traversal sequences (../) or absolute paths

Detection Strategies

• Monitor Ghostscript and Tesseract processes for file access outside expected OCR data directories using file integrity monitoring tools
• Implement application-level logging to capture and analyze OCRLanguage and related OCR parameters in processed documents
• Deploy behavioral analysis to detect anomalous file read patterns from document processing services
• Use endpoint detection to alert on Ghostscript processes reading sensitive system files

Monitoring Recommendations

• Configure file access auditing on sensitive directories that should never be accessed by document processing applications
• Implement network-level monitoring for unusual data exfiltration patterns from document processing servers
• Enable verbose logging for Ghostscript operations to capture parameter values passed to Tesseract subsystem
• Review application logs regularly for path traversal patterns in document processing requests

How to Mitigate CVE-2024-29511

Immediate Actions Required

• Upgrade Artifex Ghostscript to version 10.03.1 or later immediately
• If immediate patching is not possible, disable Tesseract OCR integration in Ghostscript configurations
• Restrict network access to document processing services while patching is in progress
• Audit systems for signs of exploitation by reviewing file access logs for suspicious patterns

Patch Information

Artifex has released a security fix in Ghostscript version 10.03.1 that addresses this directory traversal vulnerability. The patch implements proper input validation and path sanitization for OCR-related parameters before they are used in file system operations. The security fix can be reviewed in the Ghostscript Commit Changes which details the code modifications. Organizations should prioritize applying this update to all systems running Ghostscript with Tesseract OCR functionality.

Workarounds

• Disable Tesseract OCR integration in Ghostscript by removing or commenting out OCR-related device configurations
• Implement strict input validation at the application layer to reject documents with suspicious OCR parameters before processing
• Run Ghostscript in a sandboxed environment with restricted file system access using containers or chroot jails
• Use AppArmor or SELinux policies to confine Ghostscript process file access to only necessary directories

# Configuration example - Disable OCR device and restrict file access
# Add to Ghostscript configuration or wrapper script

# Disable OCR devices if not required
gs -dNOSAFER -dBATCH -dNOPAUSE -sDEVICE=pdfwrite \
   -dOCRDevice=false \
   -sOutputFile=output.pdf input.pdf

# Alternative: Run Ghostscript with restricted permissions
# Create a dedicated user with minimal filesystem access
sudo useradd -r -s /bin/false ghostscript-user
sudo chown -R ghostscript-user:ghostscript-user /var/spool/ghostscript

# Run processes as restricted user
sudo -u ghostscript-user gs -sDEVICE=pdfwrite input.pdf