ΠΠΏΠΈΡΠ°Π½ΠΈΠ΅
In Emacs before 29.3, Gnus treats inline MIME contents as trusted.
A flaw was found in Emacs. When Emacs is used as an email client, inline MIME attachments are considered to be trusted by default, allowing a crafted LaTeX document to exhaust the disk space or the inodes allocated for the partition where the /tmp directory is located. This issue possibly results in a denial of service.
ΠΡΡΠ΅Ρ
This issue is very similar to CVE-2024-30204. See https://access.redhat.com/security/cve/CVE-2024-30204. Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low. Red Hat restricts access to all platform information by default, granting access only after successful hard token-based multi-factor authentication (MFA) and following least privilege principles to ensure that only authorized users and roles can execute or modify code. Event logs are collected and processed for centralization, correlation, analysis, monitoring, alerting, and retention, ensuring that audit records are generated for security-relevant events involving sensitive data and that mechanisms such as digital signatures and certificates verify the authenticity and origin of logged information. Certificates for both external infrastructure and internal cluster components are established and maintained within a secure environment, using cryptographic authentication to prevent the acceptance of untrusted data. The platform also enforces FIPS-validated cryptographic modules across all compute resources, helping ensure that intercepted data cannot be accessed or interpreted by unauthorized actors.
ΠΠ΅ΡΡ ΠΏΠΎ ΡΠΌΡΠ³ΡΠ΅Π½ΠΈΡ ΠΏΠΎΡΠ»Π΅Π΄ΡΡΠ²ΠΈΠΉ
Do not open emails from untrusted sources.
ΠΠ°ΡΡΠΎΠ½ΡΡΡΠ΅ ΠΏΠ°ΠΊΠ΅ΡΡ
| ΠΠ»Π°ΡΡΠΎΡΠΌΠ° | ΠΠ°ΠΊΠ΅Ρ | Π‘ΠΎΡΡΠΎΡΠ½ΠΈΠ΅ | Π Π΅ΠΊΠΎΠΌΠ΅Π½Π΄Π°ΡΠΈΡ | Π Π΅Π»ΠΈΠ· |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | emacs | Affected | ||
| Red Hat Enterprise Linux 6 | emacs | Out of support scope | ||
| Red Hat Enterprise Linux 7 | emacs | Out of support scope | ||
| Red Hat Enterprise Linux 8 | emacs | Fixed | RHSA-2024:6987 | 24.09.2024 |
| Red Hat Enterprise Linux 8 | emacs | Fixed | RHSA-2024:6987 | 24.09.2024 |
| Red Hat Enterprise Linux 9 | emacs | Fixed | RHSA-2024:9302 | 12.11.2024 |
ΠΠΎΠΊΠ°Π·ΡΠ²Π°ΡΡ ΠΏΠΎ
ΠΠΎΠΏΠΎΠ»Π½ΠΈΡΠ΅Π»ΡΠ½Π°Ρ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ
Π‘ΡΠ°ΡΡΡ:
EPSS
5.5 Medium
CVSS3
Π‘Π²ΡΠ·Π°Π½Π½ΡΠ΅ ΡΡΠ·Π²ΠΈΠΌΠΎΡΡΠΈ
In Emacs before 29.3, Gnus treats inline MIME contents as trusted.
In Emacs before 29.3, Gnus treats inline MIME contents as trusted.
In Emacs before 29.3, Gnus treats inline MIME contents as trusted.
In Emacs before 29.3, Gnus treats inline MIME contents as trusted.
EPSS
5.5 Medium
CVSS3