Fluid Attacks Database

Description

GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the etags program. For example, a victim may use the "etags -u *" command (suggested in the etags documentation) in a situation where the current working directory has contents that depend on untrusted input.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	emacs	=1:27.1+1-3.1 \|\| =1:27.1+1-3.1+deb11u1 \|\| >=0 <1:27.1+1-3.1+deb11u2	1:27.1+1-3.1+deb11u2
debian 12	emacs	>=0 <1:28.2+1-11	1:28.2+1-11
debian 13	emacs	>=0 <1:28.2+1-11	1:28.2+1-11
debian 14	emacs	>=0 <1:28.2+1-11	1:28.2+1-11
rpm rhel8.6	emacs	<1:26.1-7.el8_6.3	1:26.1-7.el8_6.3
rpm rhel6	emacs	-	-
rpm rhel9	emacs	<1:27.2-8.el9_2.1	1:27.2-8.el9_2.1
rpm rhel7	emacs	-	-
rpm rhel8.8	emacs	<1:26.1-10.el8_8.4	1:26.1-10.el8_8.4
rpm rhel8	emacs	<1:26.1-11.el8	1:26.1-11.el8

Aliases

1. CVE-2022-483372. NVD-2022-483373. OSV-DEBIAN-2022-483374. OSV-2022-483375. SECURITY-TRACKER-CVE-2022-48337

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.