{
  "threat_severity" : "Important",
  "public_date" : "2023-05-09T00:00:00Z",
  "bugzilla" : {
    "description" : "emacs: Regression of CVE-2023-28617 fixes in the Red Hat Enterprise Linux",
    "id" : "2192873",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2192873"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-77",
  "details" : [ "A flaw was found in the Emacs text editor. Processing a specially crafted org-mode code with the \"org-babel-execute:latex\" function in ob-latex.el can result in arbitrary command execution. This CVE exists because of a CVE-2023-28617 security regression for the emacs package in Red Hat Enterprise Linux 8.8 and Red Hat Enterprise Linux 9.2.", "A flaw was found in the Emacs text editor. Processing a specially crafted org-mode code with the \"org-babel-execute:latex\" function in ob-latex.el can result in arbitrary command execution. This CVE exists because of a CVE-2023-28617 security regression for the emacs package in Red Hat Enterprise Linux 8.8 and Red Hat Enterprise Linux 9.2." ],
  "statement" : "This issue only affects Red Hat Enterprise Linux 8.8 and Red Hat Enterprise Linux 9.2, which introduced this regression via the following errata:\nhttps://access.redhat.com/errata/RHSA-2023:3042 (Red Hat Enterprise Linux 8.8)\nhttps://access.redhat.com/errata/RHSA-2023:2366 (Red Hat Enterprise Linux 9.2)\nThese errata provided updates for emacs package, but did not include fixes for CVE-2023-28617.\nA user who installs or updates to Red Hat Enterprise Linux 8.8 or Red Hat Enterprise Linux 9.2 would be vulnerable to the CVE-2023-28617, even if they were properly fixed in Red Hat Enterprise Linux 8.7 and in Red Hat Enterprise Linux 9.1. The CVE-2023-2491 was assigned to that Red Hat specific security regression and it is not applicable to any upstream emacs version or emacs packages of any other vendor that are not directly based on Red Hat Enterprise Linux packages.\nFor more details about the original security issue CVE-2023-28617, refer to the CVE page: https://access.redhat.com/security/cve/CVE-2023-28617.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-05-16T00:00:00Z",
    "advisory" : "RHSA-2023:3104",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "emacs-1:26.1-10.el8_8.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2023-05-16T00:00:00Z",
    "advisory" : "RHSA-2023:3104",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "emacs-1:26.1-10.el8_8.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2023-05-09T00:00:00Z",
    "advisory" : "RHSA-2023:2626",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "emacs-1:27.2-8.el9_2.1"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "emacs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "emacs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-2491\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-2491" ],
  "name" : "CVE-2023-2491",
  "csaw" : false
}