Shell Command Injection Vulnerability in Emacs Client by GNU
CVE-2023-27985

7.8HIGH

Key Information:

Vendor: Gnu
Status: Emacs
Vendor: CVE Published:; 9 March 2023

Summary

The emacsclient-mail.desktop file in Emacs versions 28.1 through 28.2 is susceptible to shell command injections via specially crafted mailto: URIs. This vulnerability arises from a failure to comply with the Desktop Entry Specification, allowing attackers to potentially execute arbitrary commands. This issue has been addressed in version 29.0.90, highlighting the importance of software updates for maintaining security.

References

https://www.openwall.com/lists/oss-security/2023/03/08/2

http://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emac...

https://debbugs.gnu.org/cgi/bugreport.cgi?bug=60204

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Mar 9, 2023
Vulnerability Reserved
Mar 9, 2023