{
  "threat_severity" : "Moderate",
  "public_date" : "2023-02-21T00:00:00Z",
  "bugzilla" : {
    "description" : "emacs: command execution via shell metacharacters",
    "id" : "2171987",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2171987"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-77",
  "details" : [ "GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the etags program. For example, a victim may use the \"etags -u *\" command (suggested in the etags documentation) in a situation where the current working directory has contents that depend on untrusted input.", "A flaw was found in the Emacs package. This flaw allows attackers to execute commands via shell metacharacters in the name of a source-code file." ],
  "statement" : "This vulnerability is only triggered when a local user introduces untrusted input, via a file with a crafted name. For this reason, this flaw has been rated with a Moderate security impact.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-11-14T00:00:00Z",
    "advisory" : "RHSA-2023:7083",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "emacs-1:26.1-11.el8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-11-14T00:00:00Z",
    "advisory" : "RHSA-2023:7083",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "emacs-1:26.1-11.el8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Extended Update Support",
    "release_date" : "2024-03-05T00:00:00Z",
    "advisory" : "RHSA-2024:1103",
    "cpe" : "cpe:/a:redhat:rhel_eus:8.6",
    "package" : "emacs-1:26.1-7.el8_6.3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Extended Update Support",
    "release_date" : "2024-03-19T00:00:00Z",
    "advisory" : "RHSA-2024:1408",
    "cpe" : "cpe:/a:redhat:rhel_eus:8.8",
    "package" : "emacs-1:26.1-10.el8_8.4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2626",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "emacs-1:27.2-8.el9_2.1"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "emacs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Will not fix",
    "package_name" : "emacs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-48337\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-48337" ],
  "name" : "CVE-2022-48337",
  "csaw" : false
}