{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-30205", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-02T01:25:03.369Z", "dateReserved": "2024-03-25T00:00:00", "datePublished": "2024-03-25T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-05-01T17:06:43.213891"}, "descriptions": [{"lang": "en", "value": "In Emacs before 29.3, Org mode considers contents of remote files to be trusted. This affects Org Mode before 9.6.23."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-29"}, {"url": "https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=4255d5dcc0657915f90e4fba7e0a5514cced514d"}, {"url": "https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=2bc865ace050ff118db43f01457f95f95112b877"}, {"name": "[debian-lts-announce] 20240429 [SECURITY] [DLA 3801-1] emacs security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00023.html"}, {"name": "[debian-lts-announce] 20240430 [SECURITY] [DLA 3802-1] org-mode security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00024.html"}, {"name": "[oss-security] 20240325 Re: GNU emacs 29.3 released to fix security issues", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2024/03/25/2"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-01T19:24:54.853994Z", "id": "CVE-2024-30205", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-01T19:25:04.827Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:25:03.369Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-29", "tags": ["x_transferred"]}, {"url": "https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=4255d5dcc0657915f90e4fba7e0a5514cced514d", "tags": ["x_transferred"]}, {"url": "https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=2bc865ace050ff118db43f01457f95f95112b877", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20240429 [SECURITY] [DLA 3801-1] emacs security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00023.html"}, {"name": "[debian-lts-announce] 20240430 [SECURITY] [DLA 3802-1] org-mode security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00024.html"}, {"name": "[oss-security] 20240325 Re: GNU emacs 29.3 released to fix security issues", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2024/03/25/2"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-30205", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-01T19:24:54.853994Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-01T19:25:01.940Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-29"}, {"url": "https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=4255d5dcc0657915f90e4fba7e0a5514cced514d"}, {"url": "https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=2bc865ace050ff118db43f01457f95f95112b877"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00023.html", "name": "[debian-lts-announce] 20240429 [SECURITY] [DLA 3801-1] emacs security update", "tags": ["mailing-list"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00024.html", "name": "[debian-lts-announce] 20240430 [SECURITY] [DLA 3802-1] org-mode security update", "tags": ["mailing-list"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/03/25/2", "name": "[oss-security] 20240325 Re: GNU emacs 29.3 released to fix security issues", "tags": ["mailing-list"]}], "descriptions": [{"lang": "en", "value": "In Emacs before 29.3, Org mode considers contents of remote files to be trusted. This affects Org Mode before 9.6.23."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-05-01T17:06:43.213891"}}}, "cveMetadata": {"cveId": "CVE-2024-30205", "state": "PUBLISHED", "dateUpdated": "2024-08-01T19:25:04.827Z", "dateReserved": "2024-03-25T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-03-25T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In Emacs before 29.3, Org mode considers contents of remote files to be trusted. This affects Org Mode before 9.6.23."}, {"lang": "es", "value": "En Emacs anterior a 29.3, el modo Org considera que el contenido de los archivos remotos es confiable. Esto afecta al modo de organizaci\u00f3n anterior a la versi\u00f3n 9.6.23."}], "id": "CVE-2024-30205", "lastModified": "2024-05-01T17:15:32.820", "metrics": {}, "published": "2024-03-25T15:15:52.567", "references": [{"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2024/03/25/2"}, {"source": "cve@mitre.org", "url": "https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=2bc865ace050ff118db43f01457f95f95112b877"}, {"source": "cve@mitre.org", "url": "https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-29"}, {"source": "cve@mitre.org", "url": "https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=4255d5dcc0657915f90e4fba7e0a5514cced514d"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00023.html"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00024.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis"}

{"affected_release": [{"advisory": "RHSA-2024:6987", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "emacs-1:26.1-12.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-09-24T00:00:00Z"}, {"advisory": "RHSA-2024:6987", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "emacs-1:26.1-12.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-09-24T00:00:00Z"}, {"advisory": "RHSA-2024:9302", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "emacs-1:27.2-10.el9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-11-12T00:00:00Z"}], "bugzilla": {"description": "emacs: Org mode considers contents of remote files to be trusted", "id": "2280298", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2280298"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-349", "details": ["In Emacs before 29.3, Org mode considers contents of remote files to be trusted. This affects Org Mode before 9.6.23.", "A flaw was found in Emacs. Org mode considers the content of remote files, such as files opened with TRAMP on remote systems, to be trusted, resulting in arbitrary code execution."], "mitigation": {"lang": "en:us", "value": "Do not open untrusted Org mode files from a remote system."}, "name": "CVE-2024-30205", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "emacs", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "emacs", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2024-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-30205\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-30205\nhttps://www.openwall.com/lists/oss-security/2024/03/25/2"], "statement": "To exploit this flaw, an attacker needs to trick a user into opening a crafted Org mode file from a remote system. For this reason, this flaw has been rated with a Moderate security impact.", "threat_severity": "Moderate", "upstream_fix": "emacs 29.3"}