Fluid Attacks Database

Description

GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the ctags program. For example, a victim may use the "ctags *" command (suggested in the ctags documentation) in a situation where the current working directory has contents that depend on untrusted input.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	xemacs21	>=0 <21.4.24-11	21.4.24-11
debian 11	emacs	=1:27.1+1-3.1 \|\| >=0 <1:27.1+1-3.1+deb11u1	1:27.1+1-3.1+deb11u1
debian 12	emacs	>=0 <1:28.2+1-8	1:28.2+1-8
debian 13	emacs	>=0 <1:28.2+1-8	1:28.2+1-8
debian 14	emacs	>=0 <1:28.2+1-8	1:28.2+1-8
debian 11	xemacs21	=21.4.24-10 \|\| =21.4.24-11 \|\| =21.4.24-12 \|\| =21.4.24-9	-
rpm rhel8	emacs	<1:26.1-9.el8	1:26.1-9.el8
rpm rhel7	emacs	-	-
rpm rhel6	emacs	-	-
rpm rhel8.6	emacs	<1:26.1-7.el8_6.3	1:26.1-7.el8_6.3

1-10 of 11

Aliases

1. CVE-2022-459392. NVD-2022-459393. OSV-DEBIAN-2022-459394. OSV-2022-459395. SECURITY-TRACKER-CVE-2022-45939

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.