CVE-2022-48338

Name
CVE-2022-48338
Description
An issue was discovered in GNU Emacs through 28.2. In ruby-mode.el, the ruby-find-library-file function has a local command injection vulnerability. The ruby-find-library-file function is an interactive function, and bound to C-c C-f. Inside the function, the external command gem is called through shell-command-to-string, but the feature-name parameters are not escaped. Thus, malicious Ruby source files may cause commands to be executed.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=9a3b08061feea14d6f37685ca1ab8801758bfd1c
DEBIAN https://www.debian.org/security/2023/dsa-5360
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U6HDBUQNAH2WL4MHWCTUZLN7NGF7CHTK/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FLPQ4K6H2S5TY3L5UDN4K4B3L5RQJYQ6/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:gnu:emacs:*:*:*:*:*:*:*:* emacs >= None <= 28.2

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
emacs 3.18-community 28.2-r8 Natanael Copa <ncopa@alpinelinux.org> possibly vulnerable