CVE-2005-2368 — OS Command Injection in VIM

CWE-78 — OS Command Injection6 documents6 sources

Severity

9.3CRITICALNVD

EPSS

1.5%

top 18.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

VIM Debian VIM VIM Development Group VIM

Timeline

PublishedJul 26

Latest updateMay 1

Description

vim 6.3 before 6.3.082, with modelines enabled, allows external user-assisted attackers to execute arbitrary commands via shell metacharacters in the (1) glob or (2) expand commands of a foldexpr expression for calculating fold levels.

CVSS vector

AV:N/AC:M/C:C/I:C/A:CExploitability: 8.6 | Impact: 10.0

Affected Packages3 packages

▶debiandebian/vim< vim 1:6.3-085+1 (bookworm)

▶Debianvim/vim< 1:6.3-085+1+3

▶NVDvim_development_group/vim6 versions+5

Patches

Patch: lists.grok.org.uk ↗Patch: www.guninski.com ↗Patch: lists.grok.org.uk ↗

🔴Vulnerability Details

GHSA

GHSA-w427-f3fp-6x6x: vim 6↗2022-05-01

▶

OSV

CVE-2005-2368: vim 6↗2005-07-26

▶

📋Vendor Advisories

Red Hat

security flaw↗2005-07-25

▶

Debian

CVE-2005-2368: vim - vim 6.3 before 6.3.082, with modelines enabled, allows external user-assisted at...↗2005

▶

💬Community

Bugzilla

CVE-2005-2368 security flaw↗2018-08-16

▶