CVE-2022-48338

Name of the Vulnerable Software and Affected Versions GNU Emacs versions through 28.2

Description An issue was discovered in GNU Emacs where the ruby-find-library-file function in ruby-mode.el has a local command injection vulnerability. The ruby-find-library-file function is an interactive function bound to C-c C-f. Inside the function, the external command gem is called through shell-command-to-string, but the feature-name parameters are not escaped, allowing malicious Ruby source files to cause commands to be executed.

Recommendations For GNU Emacs versions through 28.2, as a temporary workaround, consider disabling the ruby-find-library-file function until a patch is available. Restrict access to the ruby-mode.el module to minimize the risk of exploitation. Avoid using the feature-name parameters in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.