Security Announcement on CVE-2023-36664

We will update this announcement with new details as they emerge from our analysis. Please check back periodically.

Last update: 20 July 2023, 9:00 AM CET

CVE-2023-36664 is a new critical vulnerability in Ghostscript, rated 9.8. More official information about it can be found here.

The vulnerability allows a remote attacker to execute remote code. The vulnerability is caused by incorrect permission validation for pipe devices (with the prefix "%pipe%" or the pipe character "|").

enaio® (all supported versions: 10.0, 10.10, 11.0)

Ghostscript is used by enaio® documentviewer in all versions for conversion. Ghostscript is not installed during the installation for licensing reasons. However, we have provided installation data, most recently for version 9.27, which is affected by this vulnerability.

Currently we provide the setup for Ghostscript version 10.01.2, gs10012w64.exe, as part of the installation data for enaio® documentviewer.

In this version the vulnerability is fixed. It is strongly recommended to update to this or a later Ghostscript version.