Vulnerability Description
GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the ctags program. For example, a victim may use the "ctags *" command (suggested in the ctags documentation) in a situation where the current working directory has contents that depend on untrusted input.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gnu | Emacs | <= 28.2 |
| Debian | Debian Linux | 10.0 |
| Fedoraproject | Fedora | 36 |
Related Weaknesses (CWE)
References
- https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=d48bb4874bc6cd3e69c7a15fcPatch
- https://lists.debian.org/debian-lts-announce/2022/12/msg00046.htmlMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://www.debian.org/security/2023/dsa-5314Third Party Advisory
- https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=d48bb4874bc6cd3e69c7a15fcPatch
- https://lists.debian.org/debian-lts-announce/2022/12/msg00046.htmlMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://www.debian.org/security/2023/dsa-5314Third Party Advisory
FAQ
What is CVE-2022-45939?
CVE-2022-45939 is a vulnerability with a CVSS score of 7.8 (HIGH). GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation...
How severe is CVE-2022-45939?
CVE-2022-45939 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-45939?
Check the references section above for vendor advisories and patch information. Affected products include: Gnu Emacs, Debian Debian Linux, Fedoraproject Fedora.