CVE-2022-48337

Source
https://cve.org/CVERecord?id=CVE-2022-48337
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-48337.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-48337
Downstream
Related
Published
2023-02-20T00:00:00Z
Modified
2026-07-19T04:21:20.027029232Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the etags program. For example, a victim may use the "etags -u *" command (suggested in the etags documentation) in a situation where the current working directory has contents that depend on untrusted input.

Database specific
{
    "cna_assigner": "mitre",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/48xxx/CVE-2022-48337.json"
}
References

Affected packages

Git / cgit.git.savannah.gnu.org/cgit/emacs.git

Affected ranges

Type
GIT
Repo
https://cgit.git.savannah.gnu.org/cgit/emacs.git
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
01a4035c869b91c153af9a9132c87adb7669ea1c
Database specific
{
    "source": "REFERENCES"
}
Type
GIT
Repo
https://https.git.savannah.gnu.org/git/emacs.git/
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
739b5d0e52d83ec567bd61a5a49ac0e93e0eb469
Database specific
{
    "source": [
        "DESCRIPTION",
        "CPE_RANGE"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "28.2"
        },
        {
            "last_affected": "28.2"
        }
    ],
    "cpe": "cpe:2.3:a:gnu:emacs:*:*:*:*:*:*:*:*"
}

Affected versions

emacs-19.*
emacs-19.34
emacs-20.*
emacs-20.1
emacs-20.2
emacs-20.3
emacs-20.4
emacs-28.*
emacs-28.0.90
emacs-28.0.91
emacs-28.0.92
emacs-28.1
emacs-28.1.90
emacs-28.1.91
emacs-pretest-21.*
emacs-pretest-21.0.100
emacs-pretest-21.0.101
emacs-pretest-21.0.102
emacs-pretest-21.0.103
emacs-pretest-21.0.104
emacs-pretest-21.0.105
emacs-pretest-21.0.106
emacs-pretest-21.0.90
emacs-pretest-21.0.91
emacs-pretest-21.0.92
emacs-pretest-21.0.93
emacs-pretest-21.0.95
emacs-pretest-21.0.96
emacs-pretest-21.0.97
emacs-pretest-21.0.98
emacs-pretest-21.0.99
emacs-pretest-22.*
emacs-pretest-22.0.90
emacs-pretest-22.0.91
emacs-pretest-22.0.92
emacs-pretest-22.0.93
emacs-pretest-22.0.94
emacs-pretest-22.0.95
emacs-pretest-22.0.96
emacs-pretest-22.0.97
emacs-pretest-22.0.98
emacs-pretest-23.*
emacs-pretest-23.0.90
emacs-pretest-23.0.91
emacs-pretest-23.0.92
emacs-pretest-23.0.93
emacs-pretest-23.0.94
emacs-pretest-23.0.95
emacs-pretest-23.1.90
emacs-pretest-23.1.91
emacs-pretest-23.1.92
mh-e-8.*
mh-e-8.0
mh-e-8.0.1
mh-e-8.0.2
mh-e-8.0.3
mh-e-8.1
mh-e-8.2
mh-e-doc-8.*
mh-e-doc-8.0
mh-e-doc-8.0.1
mh-e-doc-8.0.3
mh-e-doc-8.1
mh-e-doc-8.2
Other
ttn-vms-21-2-B4

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-48337.json"