Vulnerability in ScannerVision
I. Summary of the security vulnerabilities
A security vulnerability has been found in one of the components used when processing PostScript files within the ScannerVision Server application:
In the PostScript processing function of ScannerVision version 126.96.36.1994 and earlier an exploitable code execution vulnerability exists. A specially crafted PostScript file processed by ScannerVision can execute code in the payload with the privileges of the ScannerVision Processing Service user. Although PostScript files are now processed as "source documents" by a very small percentage of users, there is still a risk that the vulnerability will be exploited. The cause of the vulnerability is a third-party library called "Ghostscript" in version V9.25 that is used as part of the ScannerVision processing engine.
II. Solution description
As a short-term immediate measure, a patch has been created for the affected server version. An updated version of ScannerVision, V9.11, is available immediately for new installations to effectively stop the processing of PostScript files from any capture source. ScannerVision version 9.13 is scheduled for release at the end of September, which will include a full bug fix and allow processing of PostScript files again.