CVE-2008-2712
published 2008-06-16CVE-2008-2712: Vim 7.1.314, 6.4, and other versions allows user-assisted remote attackers to execute arbitrary commands via Vim scripts that do not properly sanitize inputs…
PriorityP353critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
15.04%
96.3th percentile
Vim 7.1.314, 6.4, and other versions allows user-assisted remote attackers to execute arbitrary commands via Vim scripts that do not properly sanitize inputs before invoking the execute or system functions, as demonstrated using (1) filetype.vim, (3) xpm.vim, (4) gzip_vim, and (5) netrw. NOTE: the originally reported version was 7.1.314, but the researcher actually found this set of issues in 7.1.298. NOTE: the zipplugin issue (originally vector 2 in this identifier) has been subsumed by CVE-2008-3075.
Affected
63 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | vim | < vim 1:7.1.314-3 (bookworm) | vim 1:7.1.314-3 (bookworm) |
| debian | vim | < vim 2:7.2.010-1 (bookworm) | vim 2:7.2.010-1 (bookworm) |
| vim | tar.vim | — | — |
| vim | tar.vim | — | — |
| vim | tar.vim | — | — |
| vim | tar.vim | — | — |
| vim | tar.vim | — | — |
| vim | tar.vim | — | — |
| vim | tar.vim | — | — |
| vim | tar.vim | — | — |
| vim | tar.vim | — | — |
| vim | tar.vim | — | — |
| vim | tar.vim | — | — |
| vim | tar.vim | — | — |
| vim | tar.vim | — | — |
| vim | vim | <= 6.4 | — |
| vim | vim | <= 7.2 | — |
| vim | vim | — | — |
| vim | vim | — | — |
| vim | vim | — | — |
| vim | vim | — | — |
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3CRITICAL
vendor_redhat9.3CRITICAL
vendor_ubuntu9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Vim vulnerabilities
vendor_ubuntu·2009-01-27·CVSS 9.3
CVE-2008-2712 [CRITICAL] Vim vulnerabilities
Title: Vim vulnerabilities
Summary: Vim vulnerabilities
Jan Minar discovered that Vim did not properly sanitize inputs before invoking
the execute or system functions inside Vim scripts. If a user were tricked
into running Vim scripts with a specially crafted input, an attacker could
execute arbitrary code with the privileges of the user invoking the program.
(CVE-2008-2712)
Ben Schmidt discovered that Vim did not properly escape characters when
performing keyword or tag lookups. If a user were tricked into running specially
crafted commands, an attacker could execute arbitrary code with the privileges
of the user invoking the program. (CVE-2008-4101)
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
Red Hat
vim: arbitrary code execution in commands: K, Control-], g]
vendor_redhat·2008-08-22·CVSS 9.3
CVE-2008-4101 [CRITICAL] vim: arbitrary code execution in commands: K, Control-], g]
vim: arbitrary code execution in commands: K, Control-], g]
Vim 3.0 through 7.x before 7.2.010 does not properly escape characters, which allows user-assisted attackers to (1) execute arbitrary shell commands by entering a K keystroke on a line that contains a ";" (semicolon) followed by a command, or execute arbitrary Ex commands by entering an argument after a (2) "Ctrl-]" (control close-square-bracket) or (3) "g]" (g close-square-bracket) keystroke sequence, a different issue than CVE-2008-2712.
Red Hat
plugin: improper Implementation of shellescape() (arbitrary code execution)
vendor_redhat·2008-07-15·CVSS 9.3
CVE-2008-3074 [CRITICAL] plugin: improper Implementation of shellescape() (arbitrary code execution)
plugin: improper Implementation of shellescape() (arbitrary code execution)
The shellescape function in Vim 7.0 through 7.2, including 7.2a.10, allows user-assisted attackers to execute arbitrary code via the "!" (exclamation point) shell metacharacter in (1) the filename of a tar archive and possibly (2) the filename of the first file in a tar archive, which is not properly handled by the VIM TAR plugin (tar.vim) v.10 through v.22, as demonstrated by the shellescape, tarplugin.v2, tarplugin, and tarplugin.updated test cases. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2008-2712. NOTE: this issue has the same root cause as CVE-2008-3075. NOTE: due to the complexity of the associated disclosures and the incomplete information related to them, there may be inaccu
Red Hat
plugin: lack of sanitization throughout netrw.vim can lead to arbitrary code execution
vendor_redhat·2008-07-15·CVSS 9.3
CVE-2008-3076 [CRITICAL] plugin: lack of sanitization throughout netrw.vim can lead to arbitrary code execution
plugin: lack of sanitization throughout netrw.vim can lead to arbitrary code execution
The Netrw plugin 125 in netrw.vim in Vim 7.2a.10 allows user-assisted attackers to execute arbitrary code via shell metacharacters in filenames used by the execute and system functions within the (1) mz and (2) mc commands, as demonstrated by the netrw.v2 and netrw.v3 test cases. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2008-2712.
Statement: Not vulnerable. This issue did not affect the versions of the Vim packages, as shipped with Red Hat Enterprise Linux 2.1, 3, 4, and 5.
Note: This CVE is mentioned in the text of RHSA-2008:0580 as it was originally used to track multiple issues. Issues that affected Vim packages in Red Hat Enterprise Linux 5 were later assigned separat
Red Hat
plugin: improper Implementation of shellescape() (arbitrary code execution)
vendor_redhat·2008-07-15·CVSS 9.3
CVE-2008-3075 [CRITICAL] plugin: improper Implementation of shellescape() (arbitrary code execution)
plugin: improper Implementation of shellescape() (arbitrary code execution)
The shellescape function in Vim 7.0 through 7.2, including 7.2a.10, allows user-assisted attackers to execute arbitrary code via the "!" (exclamation point) shell metacharacter in (1) the filename of a ZIP archive and possibly (2) the filename of the first file in a ZIP archive, which is not properly handled by zip.vim in the VIM ZIP plugin (zipPlugin.vim) v.11 through v.21, as demonstrated by the zipplugin and zipplugin.v2 test cases. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2008-2712. NOTE: this issue has the same root cause as CVE-2008-3074. NOTE: due to the complexity of the associated disclosures and the incomplete information related to them, there may be inaccuracies in this C
Red Hat
vim: command execution via scripts not sanitizing inputs to execute and system
vendor_redhat·2008-06-15·CVSS 9.3
CVE-2008-2712 [CRITICAL] vim: command execution via scripts not sanitizing inputs to execute and system
vim: command execution via scripts not sanitizing inputs to execute and system
Vim 7.1.314, 6.4, and other versions allows user-assisted remote attackers to execute arbitrary commands via Vim scripts that do not properly sanitize inputs before invoking the execute or system functions, as demonstrated using (1) filetype.vim, (3) xpm.vim, (4) gzip_vim, and (5) netrw. NOTE: the originally reported version was 7.1.314, but the researcher actually found this set of issues in 7.1.298. NOTE: the zipplugin issue (originally vector 2 in this identifier) has been subsumed by CVE-2008-3075.
Debian
CVE-2008-2712: vim - Vim 7.1.314, 6.4, and other versions allows user-assisted remote attackers to ex...
vendor_debian·2008·CVSS 9.3
CVE-2008-2712 [CRITICAL] CVE-2008-2712: vim - Vim 7.1.314, 6.4, and other versions allows user-assisted remote attackers to ex...
Vim 7.1.314, 6.4, and other versions allows user-assisted remote attackers to execute arbitrary commands via Vim scripts that do not properly sanitize inputs before invoking the execute or system functions, as demonstrated using (1) filetype.vim, (3) xpm.vim, (4) gzip_vim, and (5) netrw. NOTE: the originally reported version was 7.1.314, but the researcher actually found this set of issues in 7.1.298. NOTE: the zipplugin issue (originally vector 2 in this identifier) has been subsumed by CVE-2008-3075.
Scope: local
bookworm: resolved (fixed in 1:7.1.314-3)
bullseye: resolved (fixed in 1:7.1.314-3)
forky: resolved (fixed in 1:7.1.314-3)
sid: resolved (fixed in 1:7.1.314-3)
trixie: resolved (fixed in 1:7.1.314-3)
Debian
CVE-2008-3074: vim - The shellescape function in Vim 7.0 through 7.2, including 7.2a.10, allows user-...
vendor_debian·2008·CVSS 9.3
CVE-2008-3074 [CRITICAL] CVE-2008-3074: vim - The shellescape function in Vim 7.0 through 7.2, including 7.2a.10, allows user-...
The shellescape function in Vim 7.0 through 7.2, including 7.2a.10, allows user-assisted attackers to execute arbitrary code via the "!" (exclamation point) shell metacharacter in (1) the filename of a tar archive and possibly (2) the filename of the first file in a tar archive, which is not properly handled by the VIM TAR plugin (tar.vim) v.10 through v.22, as demonstrated by the shellescape, tarplugin.v2, tarplugin, and tarplugin.updated test cases. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2008-2712. NOTE: this issue has the same root cause as CVE-2008-3075. NOTE: due to the complexity of the associated disclosures and the incomplete information related to them, there may be inaccuracies in this CVE description and in external mappings to this identifier.
S
Debian
CVE-2008-3075: vim - The shellescape function in Vim 7.0 through 7.2, including 7.2a.10, allows user-...
vendor_debian·2008·CVSS 9.3
CVE-2008-3075 [CRITICAL] CVE-2008-3075: vim - The shellescape function in Vim 7.0 through 7.2, including 7.2a.10, allows user-...
The shellescape function in Vim 7.0 through 7.2, including 7.2a.10, allows user-assisted attackers to execute arbitrary code via the "!" (exclamation point) shell metacharacter in (1) the filename of a ZIP archive and possibly (2) the filename of the first file in a ZIP archive, which is not properly handled by zip.vim in the VIM ZIP plugin (zipPlugin.vim) v.11 through v.21, as demonstrated by the zipplugin and zipplugin.v2 test cases. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2008-2712. NOTE: this issue has the same root cause as CVE-2008-3074. NOTE: due to the complexity of the associated disclosures and the incomplete information related to them, there may be inaccuracies in this CVE description and in external mappings to this identifier.
Scope: local
book
Debian
CVE-2008-4101: vim - Vim 3.0 through 7.x before 7.2.010 does not properly escape characters, which al...
vendor_debian·2008·CVSS 9.3
CVE-2008-4101 [CRITICAL] CVE-2008-4101: vim - Vim 3.0 through 7.x before 7.2.010 does not properly escape characters, which al...
Vim 3.0 through 7.x before 7.2.010 does not properly escape characters, which allows user-assisted attackers to (1) execute arbitrary shell commands by entering a K keystroke on a line that contains a ";" (semicolon) followed by a command, or execute arbitrary Ex commands by entering an argument after a (2) "Ctrl-]" (control close-square-bracket) or (3) "g]" (g close-square-bracket) keystroke sequence, a different issue than CVE-2008-2712.
Scope: local
bookworm: resolved (fixed in 2:7.2.010-1)
bullseye: resolved (fixed in 2:7.2.010-1)
forky: resolved (fixed in 2:7.2.010-1)
sid: resolved (fixed in 2:7.2.010-1)
trixie: resolved (fixed in 2:7.2.010-1)
Debian
CVE-2008-3076: vim - The Netrw plugin 125 in netrw.vim in Vim 7.2a.10 allows user-assisted attackers ...
vendor_debian·2008·CVSS 9.3
CVE-2008-3076 [CRITICAL] CVE-2008-3076: vim - The Netrw plugin 125 in netrw.vim in Vim 7.2a.10 allows user-assisted attackers ...
The Netrw plugin 125 in netrw.vim in Vim 7.2a.10 allows user-assisted attackers to execute arbitrary code via shell metacharacters in filenames used by the execute and system functions within the (1) mz and (2) mc commands, as demonstrated by the netrw.v2 and netrw.v3 test cases. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2008-2712.
Scope: local
bookworm: resolved (fixed in 2:7.2.010-1)
bullseye: resolved (fixed in 2:7.2.010-1)
forky: resolved (fixed in 2:7.2.010-1)
sid: resolved (fixed in 2:7.2.010-1)
trixie: resolved (fixed in 2:7.2.010-1)
GHSA
GHSA-2gqj-jjm7-f6m7: Vim 3
ghsa_unreviewed·2022-05-02·CVSS 9.3
CVE-2008-4101 [CRITICAL] CWE-20 GHSA-2gqj-jjm7-f6m7: Vim 3
Vim 3.0 through 7.x before 7.2.010 does not properly escape characters, which allows user-assisted attackers to (1) execute arbitrary shell commands by entering a K keystroke on a line that contains a ";" (semicolon) followed by a command, or execute arbitrary Ex commands by entering an argument after a (2) "Ctrl-]" (control close-square-bracket) or (3) "g]" (g close-square-bracket) keystroke sequence, a different issue than CVE-2008-2712.
GHSA
GHSA-rj5h-39v8-hch3: The shellescape function in Vim 7
ghsa_unreviewed·2022-05-01·CVSS 9.3
CVE-2008-3074 [CRITICAL] CWE-78 GHSA-rj5h-39v8-hch3: The shellescape function in Vim 7
The shellescape function in Vim 7.0 through 7.2, including 7.2a.10, allows user-assisted attackers to execute arbitrary code via the "!" (exclamation point) shell metacharacter in (1) the filename of a tar archive and possibly (2) the filename of the first file in a tar archive, which is not properly handled by the VIM TAR plugin (tar.vim) v.10 through v.22, as demonstrated by the shellescape, tarplugin.v2, tarplugin, and tarplugin.updated test cases. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2008-2712. NOTE: this issue has the same root cause as CVE-2008-3075. NOTE: due to the complexity of the associated disclosures and the incomplete information related to them, there may be inaccuracies in this CVE description and in external mappings to this identifier.
GHSA
GHSA-wqmg-q854-x6x6: The shellescape function in Vim 7
ghsa_unreviewed·2022-05-01·CVSS 9.3
CVE-2008-3075 [CRITICAL] CWE-94 GHSA-wqmg-q854-x6x6: The shellescape function in Vim 7
The shellescape function in Vim 7.0 through 7.2, including 7.2a.10, allows user-assisted attackers to execute arbitrary code via the "!" (exclamation point) shell metacharacter in (1) the filename of a ZIP archive and possibly (2) the filename of the first file in a ZIP archive, which is not properly handled by zip.vim in the VIM ZIP plugin (zipPlugin.vim) v.11 through v.21, as demonstrated by the zipplugin and zipplugin.v2 test cases. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2008-2712. NOTE: this issue has the same root cause as CVE-2008-3074. NOTE: due to the complexity of the associated disclosures and the incomplete information related to them, there may be inaccuracies in this CVE description and in external mappings to this identifier.
GHSA
GHSA-j8hm-6qv5-gj2w: Vim 7
ghsa_unreviewed·2022-05-01·CVSS 9.3
CVE-2008-2712 [CRITICAL] CWE-20 GHSA-j8hm-6qv5-gj2w: Vim 7
Vim 7.1.314, 6.4, and other versions allows user-assisted remote attackers to execute arbitrary commands via Vim scripts that do not properly sanitize inputs before invoking the execute or system functions, as demonstrated using (1) filetype.vim, (3) xpm.vim, (4) gzip_vim, and (5) netrw. NOTE: the originally reported version was 7.1.314, but the researcher actually found this set of issues in 7.1.298. NOTE: the zipplugin issue (originally vector 2 in this identifier) has been subsumed by CVE-2008-3075.
GHSA
GHSA-f5qf-9pc8-pr89: The Netrw plugin 125 in netrw
ghsa_unreviewed·2022-05-01·CVSS 9.3
CVE-2008-3076 [CRITICAL] CWE-78 GHSA-f5qf-9pc8-pr89: The Netrw plugin 125 in netrw
The Netrw plugin 125 in netrw.vim in Vim 7.2a.10 allows user-assisted attackers to execute arbitrary code via shell metacharacters in filenames used by the execute and system functions within the (1) mz and (2) mc commands, as demonstrated by the netrw.v2 and netrw.v3 test cases. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2008-2712.
OSV
CVE-2008-3076: The Netrw plugin 125 in netrw
osv·2009-02-21·CVSS 9.3
CVE-2008-3076 [CRITICAL] CVE-2008-3076: The Netrw plugin 125 in netrw
The Netrw plugin 125 in netrw.vim in Vim 7.2a.10 allows user-assisted attackers to execute arbitrary code via shell metacharacters in filenames used by the execute and system functions within the (1) mz and (2) mc commands, as demonstrated by the netrw.v2 and netrw.v3 test cases. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2008-2712.
OSV
CVE-2008-3074: The shellescape function in Vim 7
osv·2009-02-21·CVSS 9.3
CVE-2008-3074 [CRITICAL] CVE-2008-3074: The shellescape function in Vim 7
The shellescape function in Vim 7.0 through 7.2, including 7.2a.10, allows user-assisted attackers to execute arbitrary code via the "!" (exclamation point) shell metacharacter in (1) the filename of a tar archive and possibly (2) the filename of the first file in a tar archive, which is not properly handled by the VIM TAR plugin (tar.vim) v.10 through v.22, as demonstrated by the shellescape, tarplugin.v2, tarplugin, and tarplugin.updated test cases. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2008-2712. NOTE: this issue has the same root cause as CVE-2008-3075. NOTE: due to the complexity of the associated disclosures and the incomplete information related to them, there may be inaccuracies in this CVE description and in external mappings to this identifier.
OSV
CVE-2008-3075: The shellescape function in Vim 7
osv·2009-02-21·CVSS 9.3
CVE-2008-3075 [CRITICAL] CVE-2008-3075: The shellescape function in Vim 7
The shellescape function in Vim 7.0 through 7.2, including 7.2a.10, allows user-assisted attackers to execute arbitrary code via the "!" (exclamation point) shell metacharacter in (1) the filename of a ZIP archive and possibly (2) the filename of the first file in a ZIP archive, which is not properly handled by zip.vim in the VIM ZIP plugin (zipPlugin.vim) v.11 through v.21, as demonstrated by the zipplugin and zipplugin.v2 test cases. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2008-2712. NOTE: this issue has the same root cause as CVE-2008-3074. NOTE: due to the complexity of the associated disclosures and the incomplete information related to them, there may be inaccuracies in this CVE description and in external mappings to this identifier.
OSV
CVE-2008-4101: Vim 3
osv·2008-09-18·CVSS 9.3
CVE-2008-4101 [CRITICAL] CVE-2008-4101: Vim 3
Vim 3.0 through 7.x before 7.2.010 does not properly escape characters, which allows user-assisted attackers to (1) execute arbitrary shell commands by entering a K keystroke on a line that contains a ";" (semicolon) followed by a command, or execute arbitrary Ex commands by entering an argument after a (2) "Ctrl-]" (control close-square-bracket) or (3) "g]" (g close-square-bracket) keystroke sequence, a different issue than CVE-2008-2712.
OSV
CVE-2008-2712: Vim 7
osv·2008-06-16·CVSS 9.3
CVE-2008-2712 [CRITICAL] CVE-2008-2712: Vim 7
Vim 7.1.314, 6.4, and other versions allows user-assisted remote attackers to execute arbitrary commands via Vim scripts that do not properly sanitize inputs before invoking the execute or system functions, as demonstrated using (1) filetype.vim, (3) xpm.vim, (4) gzip_vim, and (5) netrw. NOTE: the originally reported version was 7.1.314, but the researcher actually found this set of issues in 7.1.298. NOTE: the zipplugin issue (originally vector 2 in this identifier) has been subsumed by CVE-2008-3075.
No detection rules found.
Bugzilla
CVE-2008-3075 Vim zip.vim plugin: improper Implementation of shellescape() (arbitrary code execution)
bugzilla·2008-10-17·CVSS 9.3
CVE-2008-3075 [CRITICAL] CVE-2008-3075 Vim zip.vim plugin: improper Implementation of shellescape() (arbitrary code execution)
CVE-2008-3075 Vim zip.vim plugin: improper Implementation of shellescape() (arbitrary code execution)
Description of problem:
Jan Minar has reported the following problem present in Vim shellescape()
function implementation and demonstrated by testcases in zip.vim plugin:
The implementation of the shellescape() function does not properly
escape all special items, in particular the '!' character). This
can result in untrusted data being insufficiently sanitized
and possibly lead to arbitrary code execution.
To show this vulnerability can be exploited, the tar.vim plugin test cases
has been updated (zipplugin and zipplugin.v2 test cases).
CVE-2008-3075 as been pre-assigned and used in rPath advisory:
http://www.openwall.com/lists/oss-security/2008/07/10/7 (ZIP-2)
References:
http://w
Bugzilla
CVE-2008-3074 Vim tar.vim plugin: improper Implementation of shellescape() (arbitrary code execution)
bugzilla·2008-10-17·CVSS 9.3
CVE-2008-3074 [CRITICAL] CVE-2008-3074 Vim tar.vim plugin: improper Implementation of shellescape() (arbitrary code execution)
CVE-2008-3074 Vim tar.vim plugin: improper Implementation of shellescape() (arbitrary code execution)
Description of problem:
Jan Minar has reported the following problem present in Vim shellescape()
function implementation and demonstrated by testcases in tar.vim plugin:
The implementation of the shellescape() function does not properly
escape all special items, in particular the '!' character). This
can result in untrusted data being insufficiently sanitized
and possibly lead to arbitrary code execution.
To show this vulnerability can be exploited, the tar.vim plugin test cases
has been updated (tarplugin, tarplugin.v2 and tarplugin.updated test cases).
CVE-2008-3074 has been pre-assigned and used in rPath advisory:
http://www.openwall.com/lists/oss-security/2008/07/10/7
Reference
Bugzilla
CVE-2008-6235 Vim netrw.vim plugin: lack of sanitization throughout netrw.vim can lead to arbitrary code execution
bugzilla·2008-10-17·CVSS 9.3
CVE-2008-6235 [CRITICAL] CVE-2008-6235 Vim netrw.vim plugin: lack of sanitization throughout netrw.vim can lead to arbitrary code execution
CVE-2008-6235 Vim netrw.vim plugin: lack of sanitization throughout netrw.vim can lead to arbitrary code execution
Description of problem:
Jan Minar has reported the following problem present in Vim netrw.vim
plugin:
Issue #1:
3.4. Deleting Files (The ``D'' Command) (from vulnerablevim-netrw.html)
3.1 Vulnerability
Netrw fails to properly sanitize arguments passed to the s:System() function,
which is a wrapper for the ``execute'' command.
References: http://www.rdancer.org/vulnerablevim-netrw.html
http://www.rdancer.org/vulnerablevim-netrw.v2.html
Steps to Reproduce: (run 'make test' or 'make demo' in netrw.v4 testcase
or perform the following steps):
1, Open directory with a crafted filename ("sploit" in netrw.v4 testcase)
vim sploit
2, Point the cursor to the encoded part of the
Bugzilla
CVE-2008-2712 vim: command execution via scripts not sanitizing inputs to execute and system
bugzilla·2008-06-17·CVSS 9.3
CVE-2008-2712 [CRITICAL] CVE-2008-2712 vim: command execution via scripts not sanitizing inputs to execute and system
CVE-2008-2712 vim: command execution via scripts not sanitizing inputs to execute and system
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-2712 to the following vulnerability:
Vim 7.1.314, 6.4, and other versions allows user-assisted remote attackers to
execute arbitrary commands via Vim scripts that do not properly sanitize inputs
before invoking the execute or system functions, as demonstrated using (1)
filetype.vim, (2) zipplugin, (3) xpm.vim, (4) gzip_vim, and (5) netrw.
References:
http://www.rdancer.org/vulnerablevim.html
http://www.securityfocus.com/archive/1/archive/1/493352/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/493353/100/0/threaded
http://marc.info/?l=bugtraq&m=121345541027231&w=4
http://www.openwall.com/lists/oss-security/2008/
http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.htmlhttp://lists.apple.com/archives/security-announce/2010//Mar/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-03/msg00004.htmlhttp://marc.info/?l=bugtraq&m=121494431426308&w=2http://secunia.com/advisories/30731http://secunia.com/advisories/32222http://secunia.com/advisories/32858http://secunia.com/advisories/32864http://secunia.com/advisories/33410http://secunia.com/advisories/34418http://securityreason.com/securityalert/3951http://support.apple.com/kb/HT3216http://support.apple.com/kb/HT4077http://support.avaya.com/elmodocs2/security/ASA-2008-457.htmhttp://support.avaya.com/elmodocs2/security/ASA-2009-001.htmhttp://wiki.rpath.com/Advisories:rPSA-2008-0247http://www.mandriva.com/security/advisories?name=MDVSA-2008:236http://www.openwall.com/lists/oss-security/2008/06/16/2http://www.openwall.com/lists/oss-security/2008/10/15/1http://www.rdancer.org/vulnerablevim.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0580.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0617.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0618.htmlhttp://www.securityfocus.com/archive/1/493352/100/0/threadedhttp://www.securityfocus.com/archive/1/493353/100/0/threadedhttp://www.securityfocus.com/archive/1/495319/100/0/threadedhttp://www.securityfocus.com/archive/1/502322/100/0/threadedhttp://www.securityfocus.com/bid/29715http://www.securityfocus.com/bid/31681http://www.securitytracker.com/id?1020293http://www.ubuntu.com/usn/USN-712-1http://www.vmware.com/security/advisories/VMSA-2009-0004.htmlhttp://www.vupen.com/english/advisories/2008/1851/referenceshttp://www.vupen.com/english/advisories/2008/2780http://www.vupen.com/english/advisories/2009/0033http://www.vupen.com/english/advisories/2009/0904https://exchange.xforce.ibmcloud.com/vulnerabilities/43083https://issues.rpath.com/browse/RPL-2622https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11109https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6238http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.htmlhttp://lists.apple.com/archives/security-announce/2010//Mar/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-03/msg00004.htmlhttp://marc.info/?l=bugtraq&m=121494431426308&w=2http://secunia.com/advisories/30731http://secunia.com/advisories/32222http://secunia.com/advisories/32858http://secunia.com/advisories/32864http://secunia.com/advisories/33410http://secunia.com/advisories/34418http://securityreason.com/securityalert/3951http://support.apple.com/kb/HT3216http://support.apple.com/kb/HT4077http://support.avaya.com/elmodocs2/security/ASA-2008-457.htmhttp://support.avaya.com/elmodocs2/security/ASA-2009-001.htmhttp://wiki.rpath.com/Advisories:rPSA-2008-0247http://www.mandriva.com/security/advisories?name=MDVSA-2008:236http://www.openwall.com/lists/oss-security/2008/06/16/2http://www.openwall.com/lists/oss-security/2008/10/15/1http://www.rdancer.org/vulnerablevim.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0580.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0617.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0618.htmlhttp://www.securityfocus.com/archive/1/493352/100/0/threadedhttp://www.securityfocus.com/archive/1/493353/100/0/threadedhttp://www.securityfocus.com/archive/1/495319/100/0/threadedhttp://www.securityfocus.com/archive/1/502322/100/0/threadedhttp://www.securityfocus.com/bid/29715http://www.securityfocus.com/bid/31681http://www.securitytracker.com/id?1020293http://www.ubuntu.com/usn/USN-712-1http://www.vmware.com/security/advisories/VMSA-2009-0004.htmlhttp://www.vupen.com/english/advisories/2008/1851/referenceshttp://www.vupen.com/english/advisories/2008/2780http://www.vupen.com/english/advisories/2009/0033http://www.vupen.com/english/advisories/2009/0904https://exchange.xforce.ibmcloud.com/vulnerabilities/43083https://issues.rpath.com/browse/RPL-2622https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11109https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6238
2008-06-16
Published