CVE-2024-39331

Published: Jun 23, 2024Modified: Jun 17, 2026

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

In Emacs before 29.4, org-link-expand-abbrev in lisp/ol.el expands a %(...) link abbrev even when it specifies an unsafe function, such as shell-command-to-string. This affects Org Mode before 9.7.5.

Affected (1)

Products: Gnu: Emacs

Gnu

1 product

Emacs

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Gnu Emacs	Before 29.4

Related CWEs

CWE-94

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (18)

https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-29

Source: cve@mitre.org

Release Notes

https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=f4cc61636947b5c2f0afc67174dd369fe3277aa8

Source: cve@mitre.org

Mailing ListPatch

https://list.orgmode.org/87sex5gdqc.fsf%40localhost/

Source: cve@mitre.org

Mailing List

https://lists.debian.org/debian-lts-announce/2024/06/msg00023.html

Source: cve@mitre.org

Mailing List

https://lists.debian.org/debian-lts-announce/2024/06/msg00024.html

Source: cve@mitre.org

Mailing List

https://lists.gnu.org/archive/html/info-gnu-emacs/2024-06/msg00000.html

Source: cve@mitre.org

Mailing List

https://news.ycombinator.com/item?id=40768225

Source: cve@mitre.org

Mailing List

https://www.openwall.com/lists/oss-security/2024/06/23/1

Source: cve@mitre.org

Mailing List

https://www.openwall.com/lists/oss-security/2024/06/23/2

Source: cve@mitre.org

Mailing List

https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-29