Shell Command Injection Vulnerability in Emacs Client by GNU
CVE-2023-27985

7.8HIGH

Key Information:

Vendor: Gnu
Status: Emacs
Vendor: CVE Published:; 9 March 2023

What is CVE-2023-27985?

The emacsclient-mail.desktop file in Emacs versions 28.1 through 28.2 is susceptible to shell command injections via specially crafted mailto: URIs. This vulnerability arises from a failure to comply with the Desktop Entry Specification, allowing attackers to potentially execute arbitrary commands. This issue has been addressed in version 29.0.90, highlighting the importance of software updates for maintaining security.

References

https://www.openwall.com/lists/oss-security/2023/03/08/2

http://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emac...

https://debbugs.gnu.org/cgi/bugreport.cgi?bug=60204

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 9, 2023
Vulnerability Reserved
Mar 9, 2023

Gnu

What is CVE-2023-27985?

References

CVSS V3.1

Timeline