Описание
In Emacs before 29.3, Org mode considers contents of remote files to be trusted. This affects Org Mode before 9.6.23.
A flaw was found in Emacs. Org mode considers the content of remote files, such as files opened with TRAMP on remote systems, to be trusted, resulting in arbitrary code execution.
Отчет
To exploit this flaw, an attacker needs to trick a user into opening a crafted Org mode file from a remote system. For this reason, this flaw has been rated with a Moderate security impact. Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low. Red Hat restricts access to all platform information by default, granting access only after successful hard token-based multi-factor authentication (MFA) and following least privilege principles to ensure that only authorized users and roles can execute or modify code. Event logs are collected and processed for centralization, correlation, analysis, monitoring, alerting, and retention, ensuring that audit records are generated for security-relevant events involving sensitive data and that mechanisms such as digital signatures and certificates verify the authenticity and origin of logged information. Certificates for both external infrastructure and internal cluster components are established and maintained within a secure environment, using cryptographic authentication to prevent the acceptance of untrusted data. The platform also enforces FIPS-validated cryptographic modules across all compute resources, helping ensure that intercepted data cannot be accessed or interpreted by unauthorized actors.
Меры по смягчению последствий
Do not open untrusted Org mode files from a remote system.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | emacs | Out of support scope | ||
| Red Hat Enterprise Linux 7 | emacs | Out of support scope | ||
| Red Hat Enterprise Linux 8 | emacs | Fixed | RHSA-2024:6987 | 24.09.2024 |
| Red Hat Enterprise Linux 8 | emacs | Fixed | RHSA-2024:6987 | 24.09.2024 |
| Red Hat Enterprise Linux 9 | emacs | Fixed | RHSA-2024:9302 | 12.11.2024 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.8 High
CVSS3
Связанные уязвимости
In Emacs before 29.3, Org mode considers contents of remote files to be trusted. This affects Org Mode before 9.6.23.
In Emacs before 29.3, Org mode considers contents of remote files to be trusted. This affects Org Mode before 9.6.23.
In Emacs before 29.3, Org mode considers contents of remote files to b ...
In Emacs before 29.3, Org mode considers contents of remote files to be trusted. This affects Org Mode before 9.6.23.
EPSS
7.8 High
CVSS3