{"id":"CVE-2022-48338","details":"An issue was discovered in GNU Emacs through 28.2. In ruby-mode.el, the ruby-find-library-file function has a local command injection vulnerability. The ruby-find-library-file function is an interactive function, and bound to C-c C-f. Inside the function, the external command gem is called through shell-command-to-string, but the feature-name parameters are not escaped. Thus, malicious Ruby source files may cause commands to be executed.","modified":"2026-04-15T23:59:14.778300997Z","published":"2023-02-20T23:15:12.297Z","related":["ALSA-2023:2626","SUSE-SU-2023:0598-1","openSUSE-SU-2024:12721-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FLPQ4K6H2S5TY3L5UDN4K4B3L5RQJYQ6/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U6HDBUQNAH2WL4MHWCTUZLN7NGF7CHTK/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2023/dsa-5360"},{"type":"FIX","url":"https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=9a3b08061feea14d6f37685ca1ab8801758bfd1c"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://cgit.git.savannah.gnu.org/cgit/emacs.git","events":[{"introduced":"0"},{"fixed":"9a3b08061feea14d6f37685ca1ab8801758bfd1c"}]},{"type":"GIT","repo":"https://git.savannah.gnu.org/git/emacs.git/","events":[{"introduced":"0"},{"last_affected":"739b5d0e52d83ec567bd61a5a49ac0e93e0eb469"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"28.2"}]}}],"versions":["emacs-19.34","emacs-20.1","emacs-20.2","emacs-20.3","emacs-20.4","emacs-22.1","emacs-22.2","emacs-22.3","emacs-23.2","emacs-23.3","emacs-23.4","emacs-24.0.96","emacs-24.0.97","emacs-24.1","emacs-24.2","emacs-24.2.90","emacs-24.2.91","emacs-24.2.92","emacs-24.2.93","emacs-24.3","emacs-24.3-rc1","emacs-24.3.90","emacs-24.3.91","emacs-24.3.92","emacs-24.3.93","emacs-24.3.94","emacs-24.4","emacs-24.4-rc1","emacs-24.4.90","emacs-24.4.91","emacs-24.5","emacs-24.5-rc1","emacs-24.5-rc2","emacs-24.5-rc3","emacs-24.5-rc3-fixed","emacs-25.0.90","emacs-25.0.91","emacs-25.0.92","emacs-25.0.93","emacs-25.0.94","emacs-25.0.95","emacs-25.1","emacs-25.1-rc1","emacs-25.1-rc2","emacs-25.1.90","emacs-25.1.91","emacs-25.2","emacs-25.2-rc1","emacs-25.2-rc2","emacs-26.0.90","emacs-26.0.91","emacs-26.1","emacs-26.1-rc1","emacs-26.1.90","emacs-26.1.91","emacs-26.1.92","emacs-26.2","emacs-26.2.90","emacs-26.3","emacs-26.3-rc1","emacs-27.0.90","emacs-27.0.91","emacs-27.1","emacs-27.1-rc1","emacs-27.1-rc2","emacs-27.1.90","emacs-27.1.91","emacs-27.2","emacs-27.2-rc1","emacs-27.2-rc2","emacs-28.0.90","emacs-28.0.91","emacs-28.0.92","emacs-28.1","emacs-28.1.90","emacs-28.1.91","emacs-28.2","emacs-pretest-21.0.100","emacs-pretest-21.0.101","emacs-pretest-21.0.102","emacs-pretest-21.0.103","emacs-pretest-21.0.104","emacs-pretest-21.0.105","emacs-pretest-21.0.106","emacs-pretest-21.0.90","emacs-pretest-21.0.91","emacs-pretest-21.0.92","emacs-pretest-21.0.93","emacs-pretest-21.0.95","emacs-pretest-21.0.96","emacs-pretest-21.0.97","emacs-pretest-21.0.98","emacs-pretest-21.0.99","emacs-pretest-22.0.90","emacs-pretest-22.0.91","emacs-pretest-22.0.92","emacs-pretest-22.0.93","emacs-pretest-22.0.94","emacs-pretest-22.0.95","emacs-pretest-22.0.96","emacs-pretest-22.0.97","emacs-pretest-22.0.98","emacs-pretest-22.0.99","emacs-pretest-22.0.990","emacs-pretest-22.1.90","emacs-pretest-22.1.91","emacs-pretest-22.1.92","emacs-pretest-22.2.90","emacs-pretest-22.2.91","emacs-pretest-22.2.92","emacs-pretest-23.0.90","emacs-pretest-23.0.91","emacs-pretest-23.0.92","emacs-pretest-23.0.93","emacs-pretest-23.0.94","emacs-pretest-23.0.95","emacs-pretest-23.1.90","emacs-pretest-23.1.91","emacs-pretest-23.1.92","emacs-pretest-23.1.93","emacs-pretest-23.1.94","emacs-pretest-23.1.95","emacs-pretest-23.1.96","emacs-pretest-23.1.97","emacs-pretest-23.2.90","emacs-pretest-23.2.91","emacs-pretest-23.2.92","emacs-pretest-23.2.93","emacs-pretest-23.2.93.1","emacs-pretest-23.2.94","emacs-pretest-23.3.90","emacs-pretest-24.0.05","emacs-pretest-24.0.90","emacs-pretest-24.0.91","emacs-pretest-24.0.92","emacs-pretest-24.0.93","emacs-pretest-24.0.94","emacs-pretest-24.0.95","mh-e-8.0","mh-e-8.0.1","mh-e-8.0.2","mh-e-8.0.3","mh-e-8.1","mh-e-8.2","mh-e-8.2.90","mh-e-8.2.91","mh-e-8.2.92","mh-e-8.2.93","mh-e-8.3","mh-e-8.3.1","mh-e-8.4","mh-e-8.5","mh-e-8.6","mh-e-doc-8.0","mh-e-doc-8.0.1","mh-e-doc-8.0.3","mh-e-doc-8.1","mh-e-doc-8.2","mh-e-doc-8.3","mh-e-doc-8.4","mh-e-doc-8.5","ttn-vms-21-2-B4"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-48338.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"}]}