Vulnerability Description
An issue was discovered in GNU Emacs through 28.2. In ruby-mode.el, the ruby-find-library-file function has a local command injection vulnerability. The ruby-find-library-file function is an interactive function, and bound to C-c C-f. Inside the function, the external command gem is called through shell-command-to-string, but the feature-name parameters are not escaped. Thus, malicious Ruby source files may cause commands to be executed.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gnu | Emacs | <= 28.2 |
Related Weaknesses (CWE)
References
- https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=9a3b08061feea14d6f37685caPatch
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://www.debian.org/security/2023/dsa-5360Third Party Advisory
- https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=9a3b08061feea14d6f37685caPatch
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://www.debian.org/security/2023/dsa-5360Third Party Advisory
FAQ
What is CVE-2022-48338?
CVE-2022-48338 is a vulnerability with a CVSS score of 7.3 (HIGH). An issue was discovered in GNU Emacs through 28.2. In ruby-mode.el, the ruby-find-library-file function has a local command injection vulnerability. The ruby-find-library-file function is an interacti...
How severe is CVE-2022-48338?
CVE-2022-48338 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-48338?
Check the references section above for vendor advisories and patch information. Affected products include: Gnu Emacs.