Published: 20/02/2023 Updated: 07/11/2023

CVSS v3 Base Score: 7.3 | Impact Score: 5.9 | Exploitability Score: 1.3

VMScore: 0

An issue exists in GNU Emacs up to and including 28.2. In ruby-mode.el, the ruby-find-library-file function has a local command injection vulnerability. The ruby-find-library-file function is an interactive function, and bound to C-c C-f. Inside the function, the external command gem is called through shell-command-to-string, but the feature-name parameters are not escaped. Thus, malicious Ruby source files may cause commands to be executed.

Vulnerable Product	Search on Vulmon	Subscribe to Product
gnu emacs

Debian Bug report logs - #1031730 emacs: CVE-2022-48339 CVE-2022-48338 CVE-2022-48337 Package: src:emacs; Maintainer for src:emacs is Rob Browning <rlb@defaultvalueorg>; Reported by: Moritz Mühlenhoff <jmm@inutilorg> Date: Tue, 21 Feb 2023 15:09:13 UTC Severity: grave Tags: security, upstream Found in version ema ...

Xi Lu discovered that missing input sanitising in Emacs (in etags, the Ruby mode and htmlfontify) could result in the execution of arbitrary shell commands For the stable distribution (bullseye), these problems have been fixed in version 1:271+1-31+deb11u2 We recommend that you upgrade your emacs packages For the detailed security status of em ...

Synopsis Important: OpenShift Container Platform 4132 bug fix and security update Type/Severity Security Advisory: Important Topic Red Hat OpenShift Container Platform release 4132 is now available with updates to packages and images that fix several bugs and add enhancementsThis release includes a security update for Red Hat OpenShift C ...

Synopsis Important: Red Hat OpenShift Data Foundation 4130 security and bug fix update Type/Severity Security Advisory: Important Topic Updated images that include numerous enhancements, security, and bug fixes are now available in Red Hat Container Registry for Red Hat OpenShift Data Foundation 4130 on Red Hat Enterprise Linux 9Red Hat ...

GNU Emacs through 282 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etagsc uses the system C library function in its implementation of the etags program For example, a victim may use the "etags -u *" command (suggested in the etags documentation) in a situation where the current ...

DescriptionThe MITRE CVE dictionary describes this issue as: An issue was discovered in GNU Emacs through 282 In ruby-modeel, the ruby-find-library-file function has a local command injection vulnerability The ruby-find-library-file function is an interactive function, and bound to C-c C-f Inside the function, the external command gem is calle ...

CWE-77 https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=9a3b08061feea14d6f37685ca1ab8801758bfd1c https://www.debian.org/security/2023/dsa-5360 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U6HDBUQNAH2WL4MHWCTUZLN7NGF7CHTK/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FLPQ4K6H2S5TY3L5UDN4K4B3L5RQJYQ6/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031730 https://nvd.nist.gov https://www.debian.org/security/2023/dsa-5360

CVE-2022-48338

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect