Command Execution Vulnerability in GNU Emacs Affected by Shell Metacharacters
CVE-2022-45939

7.8HIGH

Key Information:

Vendor: Gnu
Status: Emacs
Vendor: CVE Published:; 28 November 2022

What is CVE-2022-45939?

GNU Emacs versions up to 28.2 is susceptible to a command execution vulnerability that arises from the mishandling of shell metacharacters within source-code file names. When using the 'ctags *' command with untrusted input in the current working directory, attackers can exploit this flaw, allowing them to execute arbitrary commands. This vulnerability is facilitated by lib-src/etags.c's reliance on the system C library function, which does not adequately sanitize input. Users are advised to update to secure versions to mitigate risks.

References

https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=d4...

https://lists.debian.org/debian-lts-announce/2022/12/msg0...

mailing-list

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisory

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 28, 2022
Vulnerability Reserved
Nov 28, 2022

Gnu

What is CVE-2022-45939?

References

CVSS V3.1

Timeline