{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-30202", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-11-13T17:54:10.866Z", "dateReserved": "2024-03-25T00:00:00", "datePublished": "2024-03-25T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-05-01T18:08:01.531796"}, "descriptions": [{"lang": "en", "value": "In Emacs before 29.3, arbitrary Lisp code is evaluated as part of turning on Org mode. This affects Org Mode before 9.6.23."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-29"}, {"url": "https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=003ddacf1c8d869b1858181c29ea21b731a8d8d9"}, {"url": "https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=befa9fcaae29a6c9a283ba371c3c5234c7f644eb"}, {"name": "[oss-security] 20240325 Re: GNU emacs 29.3 released to fix security issues", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2024/03/25/2"}, {"name": "[oss-security] 20240408 Re: Is CVE-2024-30203 bogus? (Emacs)", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2024/04/08/6"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-05-01T21:03:07.717634Z", "id": "CVE-2024-30202", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-13T17:54:10.866Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:25:03.372Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-29", "tags": ["x_transferred"]}, {"url": "https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=003ddacf1c8d869b1858181c29ea21b731a8d8d9", "tags": ["x_transferred"]}, {"url": "https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=befa9fcaae29a6c9a283ba371c3c5234c7f644eb", "tags": ["x_transferred"]}, {"name": "[oss-security] 20240325 Re: GNU emacs 29.3 released to fix security issues", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2024/03/25/2"}, {"name": "[oss-security] 20240408 Re: Is CVE-2024-30203 bogus? (Emacs)", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2024/04/08/6"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-29", "tags": ["x_transferred"]}, {"url": "https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=003ddacf1c8d869b1858181c29ea21b731a8d8d9", "tags": ["x_transferred"]}, {"url": "https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=befa9fcaae29a6c9a283ba371c3c5234c7f644eb", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/25/2", "name": "[oss-security] 20240325 Re: GNU emacs 29.3 released to fix security issues", "tags": ["mailing-list", "x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/08/6", "name": "[oss-security] 20240408 Re: Is CVE-2024-30203 bogus? (Emacs)", "tags": ["mailing-list", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:25:03.372Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-30202", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-01T21:03:07.717634Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-01T21:03:13.091Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-29"}, {"url": "https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=003ddacf1c8d869b1858181c29ea21b731a8d8d9"}, {"url": "https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=befa9fcaae29a6c9a283ba371c3c5234c7f644eb"}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/25/2", "name": "[oss-security] 20240325 Re: GNU emacs 29.3 released to fix security issues", "tags": ["mailing-list"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/08/6", "name": "[oss-security] 20240408 Re: Is CVE-2024-30203 bogus? (Emacs)", "tags": ["mailing-list"]}], "descriptions": [{"lang": "en", "value": "In Emacs before 29.3, arbitrary Lisp code is evaluated as part of turning on Org mode. This affects Org Mode before 9.6.23."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-05-01T18:08:01.531796"}}}, "cveMetadata": {"cveId": "CVE-2024-30202", "state": "PUBLISHED", "dateUpdated": "2024-11-13T17:54:10.866Z", "dateReserved": "2024-03-25T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-03-25T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In Emacs before 29.3, arbitrary Lisp code is evaluated as part of turning on Org mode. This affects Org Mode before 9.6.23."}, {"lang": "es", "value": "En Emacs anterior a 29.3, el c\u00f3digo Lisp arbitrario se eval\u00faa como parte de activar el modo Org. Esto afecta al modo de organizaci\u00f3n anterior a la versi\u00f3n 9.6.23."}], "id": "CVE-2024-30202", "lastModified": "2024-11-14T20:35:23.057", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-03-25T15:15:52.427", "references": [{"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2024/03/25/2"}, {"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2024/04/08/6"}, {"source": "cve@mitre.org", "url": "https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=befa9fcaae29a6c9a283ba371c3c5234c7f644eb"}, {"source": "cve@mitre.org", "url": "https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-29"}, {"source": "cve@mitre.org", "url": "https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=003ddacf1c8d869b1858181c29ea21b731a8d8d9"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "emacs: arbitrary Lisp code is evaluated as part of turning on Org mode", "id": "2280295", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2280295"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-95", "details": ["In Emacs before 29.3, arbitrary Lisp code is evaluated as part of turning on Org mode. This affects Org Mode before 9.6.23.", "A flaw was found in Emacs. Arbitrary Lisp code can be evaluated when an Org mode file is opened or when the Org mode is being enabled, resulting in arbitrary code execution."], "mitigation": {"lang": "en:us", "value": "Do not open Org mode files from untrusted sources."}, "name": "CVE-2024-30202", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "emacs", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "emacs", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "emacs", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "emacs", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-30202\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-30202\nhttps://www.openwall.com/lists/oss-security/2024/03/25/2"], "statement": "The Emacs package, as shipped in Red Hat Enterprise Linux 8 and 9, is not affected by this vulnerability because the vulnerable code was introduced in a newer version of Emacs.\nTo exploit this flaw, an attacker needs to trick a user into opening a crafted Org mode file. For this reason, this flaw has been rated with a Moderate security impact.", "threat_severity": "Moderate", "upstream_fix": "emacs 29.3"}