CVE-2022-48337

Name of the Vulnerable Software and Affected Versions GNU Emacs versions 28.2 and earlier

Description The issue is related to the improper neutralization of special elements used in the operating system command. This can allow an attacker to execute arbitrary code via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the etags program. For example, a victim may use the "etags -u *" command in a situation where the current working directory has contents that depend on untrusted input.

Recommendations For GNU Emacs versions 28.2 and earlier, consider disabling the use of the etags program until a patch is available, or avoid using the "etags -u *" command in situations where the current working directory has contents that depend on untrusted input. Restrict access to the lib-src/etags.c component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.