Local Command Injection Vulnerability in GNU Emacs Ruby Mode
CVE-2022-48338

7.3HIGH

Key Information:

Vendor: Gnu
Status: Emacs
Vendor: CVE Published:; 20 February 2023

What is CVE-2022-48338?

A local command injection vulnerability exists in GNU Emacs through version 28.2 specifically in the ruby-mode.el file. The interactive function ruby-find-library-file, bound to the shortcut C-c C-f, allows execution of external commands without proper escaping of parameters. This flaw poses a risk as malicious Ruby source files could exploit this weakness to execute arbitrary commands, compromising system integrity and security.

References

https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=9a...

https://www.debian.org/security/2023/dsa-5360

vendor-advisory

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisory

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 20, 2023
Vulnerability Reserved
Feb 20, 2023

Gnu

What is CVE-2022-48338?

References

CVSS V3.1

Timeline