Skip to main content

Emacs CVE-2022-45939

HIGH
OS Command Injection (CWE-78)
2022-11-28 cve@mitre.org
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Nov 28, 2022 - 06:15 nvd
HIGH 7.8

DescriptionNVD

GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the ctags program. For example, a victim may use the "ctags *" command (suggested in the ctags documentation) in a situation where the current working directory has contents that depend on untrusted input.

AnalysisAI

GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Technical ContextAI

This vulnerability is classified as OS Command Injection (CWE-78), which allows attackers to execute arbitrary operating system commands on the host. GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the ctags program. For example, a victim may use the "ctags *" command (suggested in the ctags documentation) in a situation where the current working directory has contents that depend on untrusted input. Affected products include: Gnu Emacs, Debian Debian Linux, Fedoraproject Fedora. Version information: through 28.2.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Avoid passing user input to shell commands. Use language-specific APIs instead of shell execution. Apply strict input validation with allowlists.

More in Emacs

View all
CVE-2012-0035 CRITICAL
9.3 Jan 19

Untrusted search path vulnerability in EDE in CEDET before 1.0.1, as used in GNU Emacs before 23.4 and other products, a

CVE-2024-39331 CRITICAL
9.8 Jun 23

In Emacs before 29.4, org-link-expand-abbrev in lisp/ol.el expands a %(...) link abbrev even when it specifies an unsafe

CVE-2017-14482 HIGH
8.8 Sep 14

GNU Emacs before 25.3 allows remote attackers to execute arbitrary code via email with crafted "Content-Type: text/enric

CVE-2024-53920 HIGH
7.8 Nov 27

In elisp-mode.el in GNU Emacs before 30.1, a user who chooses to invoke elisp-completion-at-point (for code completion)

CVE-2024-30202 HIGH
7.8 Mar 25

In Emacs before 29.3, arbitrary Lisp code is evaluated as part of turning on Org mode. Rated high severity (CVSS 7.8), t

CVE-2023-2491 HIGH
7.8 May 17

A flaw was found in the Emacs text editor. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

CVE-2023-27986 HIGH
7.8 Mar 09

emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to Emacs Lisp code injections through a crafted mailto

CVE-2023-27985 HIGH
7.8 Mar 09

emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to shell command injections through a crafted mailto:

CVE-2014-9483 HIGH
7.5 Aug 28

Emacs 24.4 allows remote attackers to bypass security restrictions. Rated high severity (CVSS 7.5), this vulnerability i

CVE-2012-3479 MEDIUM
6.8 Aug 25

lisp/files.el in Emacs 23.2, 23.3, 23.4, and 24.1 automatically executes eval forms in local-variable sections when the

CVE-2024-30205 HIGH
7.1 Mar 25

In Emacs before 29.3, Org mode considers contents of remote files to be trusted. Rated high severity (CVSS 7.1), this vu

CVE-2026-6861 MEDIUM
6.1 Apr 22

Memory corruption in GNU Emacs SVG/CSS processing allows local attackers to trigger denial of service or information dis

Share

CVE-2022-45939 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy