CVE-2017-14482
moderate-risk
Published 2017-09-14
GNU Emacs before 25.3 allows remote attackers to execute arbitrary code via email with crafted "Content-Type: text/enriched" data containing an x-display XML element that specifies execution of shell commands, related to an unsafe text/enriched extension in lisp/textmodes/enriched.el, and unsafe Gnus support for enriched and richtext inline MIME objects in lisp/gnus/mm-view.el. In particular, an Emacs user can be instantly compromised by reading a crafted email message (or Usenet news article).
Do I need to act?
~
4.6% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10
High
NETWORK
/ LOW complexity
Affected Products (2)
Emacs
References (16)
Issue Tracking
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=28350
Third Party Advisory
https://www.debian.org/security/2017/dsa-3970
Release Notes
https://www.gnu.org/software/emacs/index.html#Releases
Issue Tracking
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=28350
Third Party Advisory
https://www.debian.org/security/2017/dsa-3970
Release Notes
https://www.gnu.org/software/emacs/index.html#Releases
45
/ 100
moderate-risk
Severity
30/34 · Critical
Exploitability
8/34 · Low
Exposure
7/34 · Low