CVE-2022-45939

CWE-78 — OS Command Injection10 documents8 sources

Severity

7.8HIGH

EPSS

0.0%

top 85.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GNU Emacs Debian Debian Linux Fedoraproject Fedora

Timeline

PublishedNov 28

Latest updateSep 19

Description

GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the ctags program. For example, a victim may use the "ctags *" command (suggested in the ctags documentation) in a situation where the current working directory has contents that depend on untrusted input.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages6 packages

▶Debianemacs< 1:27.1+1-3.1+deb11u1+3

▶Ubuntuemacs< 1:27.1+1-3ubuntu5.2+2

▶Ubuntuemacs24< 24.5+1-6ubuntu1.1+esm4

▶Ubuntuemacs25< 25.2+1-6ubuntu0.1~esm2

▶Debianxemacs21< 21.4.24-11

Also affects: Debian Linux 10.0, 11.0, Fedora 36, 37

Patches

Patch: git.savannah.gnu.org ↗Patch: git.savannah.gnu.org ↗

🔴Vulnerability Details

OSV

emacs, emacs24, emacs25 vulnerabilities↗2024-09-19

▶

GHSA

GHSA-m57w-hf24-4j3h: GNU Emacs through 28↗2022-11-28

▶

CVEList

CVE-2022-45939: GNU Emacs through 28↗2022-11-28

▶

OSV

CVE-2022-45939: GNU Emacs through 28↗2022-11-28

▶

📋Vendor Advisories

Ubuntu

Emacs vulnerabilities↗2024-09-19

▶

Ubuntu

Emacs vulnerability↗2022-12-14

▶

Red Hat

emacs: ctags local command execution vulnerability↗2022-11-27

▶

Microsoft

GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file because lib-src/etags.c uses the system C library function in its implementation ↗2022-11-08

▶

Debian

CVE-2022-45939: emacs - GNU Emacs through 28.2 allows attackers to execute commands via shell metacharac...↗2022

▶