CVE-2022-48337

CWE-78 — OS Command Injection CWE-77 — Command Injection9 documents8 sources

Severity

9.8CRITICAL

EPSS

0.4%

top 36.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GNU Emacs Debian Debian Linux

Timeline

PublishedFeb 20

Latest updateSep 19

Description

GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the etags program. For example, a victim may use the "etags -u *" command (suggested in the etags documentation) in a situation where the current working directory has contents that depend on untrusted input.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶Debianemacs< 1:27.1+1-3.1+deb11u2+3

▶NVDgnu/emacs28.2

Also affects: Debian Linux 11.0

Patches

Patch: git.savannah.gnu.org ↗Patch: git.savannah.gnu.org ↗

🔴Vulnerability Details

OSV

emacs, emacs24, emacs25 vulnerabilities↗2024-09-19

▶

GHSA

GHSA-8hw9-jqh3-h2rx: GNU Emacs through 28↗2023-02-21

▶

OSV

CVE-2022-48337: GNU Emacs through 28↗2023-02-20

▶

CVEList

CVE-2022-48337: GNU Emacs through 28↗2023-02-20

▶

📋Vendor Advisories

Ubuntu

Emacs vulnerabilities↗2024-09-19

▶

Red Hat

emacs: command execution via shell metacharacters↗2023-02-21

▶

Microsoft

GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file because lib-src/etags.c uses the system C library function in its implementation ↗2023-02-14

▶

Debian

CVE-2022-48337: emacs - GNU Emacs through 28.2 allows attackers to execute commands via shell metacharac...↗2022

▶