Lucene search

MitreCVE-2017-14482

HistorySep 14, 2017 - 4:29 p.m.

CVE-2017-14482

2017-09-1416:29:00

mitre

web.nvd.nist.gov

203

cve

2017

14482

remote code execution

gnu emacs

security vulnerability

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

8.9

Confidence

High

EPSS

0.031

Percentile

91.1%

JSON

GNU Emacs before 25.3 allows remote attackers to execute arbitrary code via email with crafted “Content-Type: text/enriched” data containing an x-display XML element that specifies execution of shell commands, related to an unsafe text/enriched extension in lisp/textmodes/enriched.el, and unsafe Gnus support for enriched and richtext inline MIME objects in lisp/gnus/mm-view.el. In particular, an Emacs user can be instantly compromised by reading a crafted email message (or Usenet news article).

Affected configurations

Nvd

Node

gnuemacsRange≤25.2

Node

debiandebian_linuxMatch8.0

VendorProductVersionCPE
gnuemacs*cpe:2.3:a:gnu:emacs:*:*:*:*:*:*:*:*
debiandebian_linux8.0cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
gnu	emacs	*	cpe:2.3:a:gnu:emacs::::::::
debian	debian_linux	8.0	cpe:2.3:o:debian:debian_linux:8.0:::::::*

References

www.debian.org/security/2017/dsa-3975

www.openwall.com/lists/oss-security/2017/09/11/1

access.redhat.com/errata/RHSA-2017:2771

debbugs.gnu.org/cgi/bugreport.cgi?bug=28350

git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-25&id=9ad0fcc54442a9a01d41be19880250783426db70

security.gentoo.org/glsa/201801-07

www.debian.org/security/2017/dsa-3970

www.gnu.org/software/emacs/index.html#Releases

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

8.9

Confidence

High

EPSS

0.031

Percentile

91.1%

JSON

Related for CVE-2017-14482