The Proof-of-concept (PoC) of an exploit was posted online over the weekend about a Ghostscript vulnerability that compromises all component-based servers.
The PoC was published by Vietnamese security researcher Nguyen The Duc in GitHub and has been confirmed to work by several leading security researchers.
Ghostscript was released in 1988 and is a small library that allows applications to edit PDF documents and PostScript-based files.
Ghostscript is also used by the server, and is usually included in image conversion and file editing tools, such as the popular ImageMagick.
PoC released by Nguyen allows an attacker to upload a malicious SVG file that is supposed to go for image processing but runs malicious code on the underlying operating system.
Nguyen may have been the one who publicly released PoC, but he did not discover the vulnerability.
It was discovered by Emil Lerner CTO and founder of Wunderfund, who used the bug last year to win bug bounties from companies such as Airbnb, Dropbox and Yandex.
This is the second time that the Ghostscript project is up to date due to security vulnerabilities. In August 2018, a Google security researcher discovered several critical vulnerabilities in the Ghostscript library that Artifex (the company that developed it) failed to fix in time. However, the company released corrections two days after the security vulnerabilities were made public.