Command Injection

2023-03-1119:21:03

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

emacs

vulnerability

command injection

ruby-find-library-file

shell-command-to-string

0.0004 Low

EPSS

Percentile

5.1%

JSON

emacs is vulnerable to Command Injection. The vulnerability exists due to the feature-name parameter in the ruby-find-library-file function and bound to C-c C-f. functions are not properly escaped, allowing an attacker to inject and execute malicious commands by calling through shell-command-to-string

CPENameOperatorVersion
emacs:bullseyeeq1:27.1+1-3
emacs:sideq1:27.1+1-3
emacs:bookwormeq1:27.1+1-3.1
emacseq23.1__28.el6
emacseq23.1__25.el6
emacseq26.1__11.el8
emacseq24.3__20.el7_4
emacseq24.3__23.el7_9.1
emacseq26.1__7.el8
emacseq27.2__3.hs.el8

Name	Operator	Version
emacs:bullseye	eq	1:27.1+1-3
emacs:sid	eq	1:27.1+1-3
emacs:bookworm	eq	1:27.1+1-3.1
emacs	eq	23.1__28.el6
emacs	eq	23.1__25.el6
emacs	eq	26.1__11.el8
emacs	eq	24.3__20.el7_4
emacs	eq	24.3__23.el7_9.1
emacs	eq	26.1__7.el8
emacs	eq	27.2__3.hs.el8