CVE-2008-3294 — Code Injection in VIM

CWE-94 — Code Injection CWE-377 — Insecure Temporary File5 documents5 sources

Severity

3.7LOWNVD

EPSS

0.2%

top 63.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

VIM Debian VIM

Timeline

PublishedJul 24

Latest updateMay 1

Description

src/configure.in in Vim 5.0 through 7.1, when used for a build with Python support, does not ensure that the Makefile-conf temporary file has the intended ownership and permissions, which allows local users to execute arbitrary code by modifying this file during a time window, or by creating it ahead of time with permissions that prevent its modification by configure.

CVSS vector

AV:L/AC:H/C:P/I:P/A:PExploitability: 1.9 | Impact: 6.4

Affected Packages2 packages

▶NVDvim/vim16 versions+15

▶debiandebian/vim

🔴Vulnerability Details

GHSA

GHSA-2p55-mr3x-rqxj: src/configure↗2022-05-01

▶

📋Vendor Advisories

Red Hat

vim: insecure temporary file usage in configure script↗2008-07-17

▶

Debian

CVE-2008-3294: vim - src/configure.in in Vim 5.0 through 7.1, when used for a build with Python suppo...↗2008

▶

💬Community

Bugzilla

CVE-2008-3294 vim: insecure temporary file usage in configure script↗2008-07-25

▶