Vulnerability Description
An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a command injection vulnerability. In the hfy-istext-command function, the parameter file and parameter srcdir come from external input, and parameters are not escaped. If a file name or directory name contains shell metacharacters, code may be executed.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gnu | Emacs | <= 28.2 |
Related Weaknesses (CWE)
References
- https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=1b4dc4691c1f87fc970fbe568Patch
- https://lists.debian.org/debian-lts-announce/2023/05/msg00008.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://www.debian.org/security/2023/dsa-5360Third Party Advisory
- https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=1b4dc4691c1f87fc970fbe568Patch
- https://lists.debian.org/debian-lts-announce/2023/05/msg00008.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://www.debian.org/security/2023/dsa-5360Third Party Advisory
FAQ
What is CVE-2022-48339?
CVE-2022-48339 is a vulnerability with a CVSS score of 7.8 (HIGH). An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a command injection vulnerability. In the hfy-istext-command function, the parameter file and parameter srcdir come from external ...
How severe is CVE-2022-48339?
CVE-2022-48339 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-48339?
Check the references section above for vendor advisories and patch information. Affected products include: Gnu Emacs.