Command Injection Vulnerability in GNU Emacs by GNU
CVE-2022-48339

7.8HIGH

Key Information:

Vendor
Gnu
Status
Emacs
Vendor
CVE Published:
20 February 2023

Summary

A vulnerability has been identified in GNU Emacs that allows for command injection through the 'hfy-istext-command' function. The function improperly handles user-supplied input for file and directory parameters without escaping potentially harmful shell metacharacters. This oversight could lead to the execution of arbitrary code if an attacker manipulates file or directory names. It is crucial for users to update to the latest version to mitigate this risk.

References

https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=1b...
https://www.debian.org/security/2023/dsa-5360
vendor-advisory
https://lists.debian.org/debian-lts-announce/2023/05/msg0...
mailing-list

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.