CVE-2022-4515

Vulnerability

A flaw exists in Exuberant Ctags version 5.8 (and possibly earlier) in the way it handles the -o option, which specifies the tag filename. When a crafted tag filename is provided on the command line or in a configuration file, the externalSortTags() function in sort.c [1] calls the system(3) function with unsanitized input, leading to arbitrary command execution. The vulnerable code path is reachable when sorting is enabled via the --sort option.

Exploitation

An attacker can exploit this vulnerability by providing a specially crafted tag filename that contains shell metacharacters. The attacker must have the ability to pass arguments to Exuberant Ctags (e.g., by running it locally or tricking a user into processing a malformed configuration file). No special network position or authentication is needed; the attacker simply needs to invoke ctags with the malicious -o argument. The unsanitized filename is passed directly to system(), which interprets shell constructs.

Impact

Successful exploitation allows an attacker to execute arbitrary commands with the privileges of the user running ctags. This can lead to full system compromise if the user has elevated permissions. The impact is rated as critical (CVSS 9.8) due to the lack of authentication requirements and potential for remote code execution if ctags is triggered remotely (e.g., via a build script or editor plugin that processes untrusted files).

Mitigation

As of the available references [1], no official patch has been released; Exuberant Ctags is in maintenance mode and no longer actively developed. Users should avoid using the -o option with untrusted input. As a workaround, users can use Universal Ctags, a maintained fork that includes fixes for this issue. The CVE has been listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating exploitation in the wild.