An issue was discovered in GNU Emacs through 28.2. In ruby-mode.el, the ruby-find-library-file function has a local command injection vulnerability. The ruby-find-library-file function is an interactive function, and bound to C-c C-f. Inside the function, the external command gem is called through shell-command-to-string, but the feature-name parameters are not escaped. Thus, malicious Ruby source files may cause commands to be executed.
References
Configurations
History
07 Nov 2023, 03:56
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
14 Oct 2023, 03:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
28 Sep 2023, 04:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
03 Mar 2023, 18:26
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.3 |
02 Mar 2023, 16:20
Type | Values Removed | Values Added |
---|---|---|
First Time |
Gnu
Gnu emacs |
|
CPE | cpe:2.3:a:gnu:emacs:*:*:*:*:*:*:*:* | |
CWE | CWE-77 | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
References | (MISC) https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=9a3b08061feea14d6f37685ca1ab8801758bfd1c - Patch | |
References | (DEBIAN) https://www.debian.org/security/2023/dsa-5360 - Third Party Advisory |
24 Feb 2023, 16:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
20 Feb 2023, 23:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-02-20 23:15
Updated : 2023-12-10 14:48
NVD link : CVE-2022-48338
Mitre link : CVE-2022-48338
CVE.ORG link : CVE-2022-48338
JSON object : View
Products Affected
gnu
- emacs
CWE
CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')