CVE-2022-48339

CWE-116 CWE-1116 CWE-77 — Command Injection9 documents8 sources

Severity

7.8HIGH

EPSS

0.1%

top 71.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GNU Emacs

Timeline

PublishedFeb 20

Latest updateSep 19

Description

An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a command injection vulnerability. In the hfy-istext-command function, the parameter file and parameter srcdir come from external input, and parameters are not escaped. If a file name or directory name contains shell metacharacters, code may be executed.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

▶Debianemacs< 1:27.1+1-3.1+deb11u2+3

▶NVDgnu/emacs28.2

Patches

Patch: git.savannah.gnu.org ↗Patch: git.savannah.gnu.org ↗

🔴Vulnerability Details

GHSA

GHSA-jwxq-f9vm-725g: An issue was discovered in GNU Emacs through 28↗2023-02-21

▶

OSV

CVE-2022-48339: An issue was discovered in GNU Emacs through 28↗2023-02-20

▶

CVEList

CVE-2022-48339: An issue was discovered in GNU Emacs through 28↗2023-02-20

▶

📋Vendor Advisories

Ubuntu

Emacs vulnerabilities↗2024-09-19

▶

Ubuntu

Emacs vulnerability↗2023-03-15

▶

Red Hat

emacs: command injection vulnerability in htmlfontify.el↗2023-02-21

▶

Microsoft

An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a command injection vulnerability. In the hfy-istext-command function the parameter file and parameter srcdir come from external i↗2023-02-14

▶

Debian

CVE-2022-48339: emacs - An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a command ...↗2022

▶