CVE-2022-48338

Source
https://cve.org/CVERecord?id=CVE-2022-48338
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-48338.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-48338
Downstream
Related
Published
2023-02-20T00:00:00Z
Modified
2026-07-15T01:49:11.017636654Z
Severity
  • 7.3 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

An issue was discovered in GNU Emacs through 28.2. In ruby-mode.el, the ruby-find-library-file function has a local command injection vulnerability. The ruby-find-library-file function is an interactive function, and bound to C-c C-f. Inside the function, the external command gem is called through shell-command-to-string, but the feature-name parameters are not escaped. Thus, malicious Ruby source files may cause commands to be executed.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/48xxx/CVE-2022-48338.json",
    "cna_assigner": "mitre"
}
References

Affected packages

Git / cgit.git.savannah.gnu.org/cgit/emacs.git

Affected ranges

Type
GIT
Repo
https://cgit.git.savannah.gnu.org/cgit/emacs.git
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
9a3b08061feea14d6f37685ca1ab8801758bfd1c
Database specific
{
    "source": "REFERENCES"
}
Type
GIT
Repo
https://https.git.savannah.gnu.org/git/emacs.git/
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
739b5d0e52d83ec567bd61a5a49ac0e93e0eb469
Database specific
{
    "cpe": "cpe:2.3:a:gnu:emacs:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "28.2"
        },
        {
            "last_affected": "28.2"
        }
    ],
    "source": [
        "DESCRIPTION",
        "CPE_RANGE"
    ]
}

Affected versions

emacs-19.*
emacs-19.34
emacs-20.*
emacs-20.1
emacs-20.2
emacs-20.3
emacs-20.4
emacs-28.*
emacs-28.0.90
emacs-28.0.91
emacs-28.0.92
emacs-28.1
emacs-28.1.90
emacs-28.1.91
emacs-pretest-21.*
emacs-pretest-21.0.100
emacs-pretest-21.0.101
emacs-pretest-21.0.102
emacs-pretest-21.0.103
emacs-pretest-21.0.104
emacs-pretest-21.0.105
emacs-pretest-21.0.106
emacs-pretest-21.0.90
emacs-pretest-21.0.91
emacs-pretest-21.0.92
emacs-pretest-21.0.93
emacs-pretest-21.0.95
emacs-pretest-21.0.96
emacs-pretest-21.0.97
emacs-pretest-21.0.98
emacs-pretest-21.0.99
emacs-pretest-22.*
emacs-pretest-22.0.90
emacs-pretest-22.0.91
emacs-pretest-22.0.92
emacs-pretest-22.0.93
emacs-pretest-22.0.94
emacs-pretest-22.0.95
emacs-pretest-22.0.96
emacs-pretest-22.0.97
emacs-pretest-22.0.98
emacs-pretest-23.*
emacs-pretest-23.0.90
emacs-pretest-23.0.91
emacs-pretest-23.0.92
emacs-pretest-23.0.93
emacs-pretest-23.0.94
emacs-pretest-23.0.95
emacs-pretest-23.1.90
emacs-pretest-23.1.91
emacs-pretest-23.1.92
mh-e-8.*
mh-e-8.0
mh-e-8.0.1
mh-e-8.0.2
mh-e-8.0.3
mh-e-8.1
mh-e-8.2
mh-e-doc-8.*
mh-e-doc-8.0
mh-e-doc-8.0.1
mh-e-doc-8.0.3
mh-e-doc-8.1
mh-e-doc-8.2
Other
ttn-vms-21-2-B4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-48338.json"