CVE-2024-39331 : In Emacs before 29.4, org-link-expand-abbrev in lisp/ol.el expands a %(...) link

In Emacs before 29.4, org-link-expand-abbrev in lisp/ol.el expands a %(...) link abbrev even when it specifies an unsafe function, such as shell-command-to-string. This affects Org Mode before 9.7.5.

Published 2024-06-23 00:00:00

Updated 2025-04-30 16:44:52

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2024-39331

GNU » Emacs
Versions before (<) 29.4
cpe:2.3:a:gnu:emacs:*:*:*:*:*:*:*:*
Matching versions
GNU » Org Mode » For Gnu Emacs
Versions before (<) 9.7.5
cpe:2.3:a:gnu:org_mode:*:*:*:*:*:gnu_emacs:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2024-39331

EPSS FAQ

0.90%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 75 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2024-39331

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	134c704f-9b21-4f2e-91b3-4a467353bcc0	2024-07-03
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2024-39331

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Assigned by: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

References for CVE-2024-39331

https://www.openwall.com/lists/oss-security/2024/06/23/1

oss-security - Arbitrary shell command evaluation in Org mode (GNU Emacs)
Mailing List
https://list.orgmode.org/87sex5gdqc.fsf%40localhost/

[ANN] Emergency bugfix release: Org mode 9.7.5 - Ihor Radchenko
Mailing List
https://www.openwall.com/lists/oss-security/2024/06/23/2

oss-security - Re: Arbitrary shell command evaluation in Org mode (GNU Emacs)
Mailing List
https://lists.gnu.org/archive/html/info-gnu-emacs/2024-06/msg00000.html

Emacs 29.4 released
Mailing List
https://news.ycombinator.com/item?id=40768225

Arbitrary shell command evaluation in Org Mode (GNU Emacs) | Hacker News
Mailing List
https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-29

NEWS\etc - emacs.git - Emacs source repository
Release Notes

CVEs referencing this url
https://lists.debian.org/debian-lts-announce/2024/06/msg00023.html

[SECURITY] [DLA 3848-1] org-mode security update
Mailing List
https://lists.debian.org/debian-lts-announce/2024/06/msg00024.html

[SECURITY] [DLA 3849-1] org-mode security update
Mailing List
https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=f4cc61636947b5c2f0afc67174dd369fe3277aa8

emacs/org-mode.git - Emacs Org mode
Mailing List;Patch

Jump to

Vulnerability Details : CVE-2024-39331

Products affected by CVE-2024-39331

Exploit prediction scoring system (EPSS) score for CVE-2024-39331

CVSS scores for CVE-2024-39331

CWE ids for CVE-2024-39331

References for CVE-2024-39331