Arbitrary Command Execution Vulnerability in GNU Emacs Org Mode
CVE-2023-28617

7.8HIGH

Key Information:

Vendor
Gnu
Status
Org Mode
Vendor
CVE Published:
19 March 2023

Summary

A vulnerability exists in the org-babel-execute function of ob-latex.el within GNU Emacs Org Mode versions up to 9.6.1. This issue allows malicious actors to execute arbitrary commands by supplying file names or directory names containing shell metacharacters. The exploitation of this flaw poses a significant risk to users, enabling unauthorized operations and potentially compromising system integrity.

References

https://list.orgmode.org/tencent_04CF842704737012CCBCD63C...
https://git.savannah.gnu.org/cgit/emacs/org-mode.git/comm...
https://git.savannah.gnu.org/cgit/emacs/org-mode.git/comm...

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.