CVE-2023-2491 : A flaw was found in the Emacs text editor. Processing a specially crafted org-mo

A flaw was found in the Emacs text editor. Processing a specially crafted org-mode code with the "org-babel-execute:latex" function in ob-latex.el can result in arbitrary command execution. This CVE exists because of a CVE-2023-28617 security regression for the emacs package in Red Hat Enterprise Linux 8.8 and Red Hat Enterprise Linux 9.2.

Published 2023-05-17 22:15:11

Updated 2025-01-22 19:15:09

Source Red Hat, Inc.

View at NVD, CVE.org

Products affected by CVE-2023-2491

Redhat » Enterprise Linux » Version: 8.0
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux » Version: 9.0
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Eus » Version: 8.8
cpe:2.3:o:redhat:enterprise_linux_eus:8.8:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Eus » Version: 9.2
cpe:2.3:o:redhat:enterprise_linux_eus:9.2:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Aus » Version: 8.8
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.8:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Aus » Version: 9.2
cpe:2.3:o:redhat:enterprise_linux_server_aus:9.2:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server Tus » Version: 8.8
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.8:*:*:*:*:*:*:*
Matching versions
GNU » Emacs » Version: 26.1-9.el8
cpe:2.3:a:gnu:emacs:26.1-9.el8:*:*:*:*:*:*:*
Matching versions
GNU » Emacs » Version: 27.2-8.el9
cpe:2.3:a:gnu:emacs:27.2-8.el9:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-2491

EPSS FAQ

0.06%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 20 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-2491

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	1.8	5.9	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-01-22
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2023-2491

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)

References for CVE-2023-2491

https://access.redhat.com/errata/RHSA-2023:2626

RHSA-2023:2626 - Security Advisory - Red Hat Customer Portal
Third Party Advisory
https://access.redhat.com/errata/RHSA-2023:3104

RHSA-2023:3104 - Security Advisory - Red Hat Customer Portal
Third Party Advisory
https://access.redhat.com/security/cve/CVE-2023-2491

cve-details
Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2192873

Bug Access Denied
Issue Tracking;Third Party Advisory

Jump to

Vulnerability Details : CVE-2023-2491

Products affected by CVE-2023-2491

Exploit prediction scoring system (EPSS) score for CVE-2023-2491

CVSS scores for CVE-2023-2491

CWE ids for CVE-2023-2491

References for CVE-2023-2491