Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2008-4101 — Improper Input Validation in VIM

CWE-20 — Improper Input Validation8 documents8 sources

Severity

9.3CRITICALNVD

EPSS

15.2%

top 5.37%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

VIM Debian VIM

Timeline

PublishedSep 18

Latest updateMay 2

Description

Vim 3.0 through 7.x before 7.2.010 does not properly escape characters, which allows user-assisted attackers to (1) execute arbitrary shell commands by entering a K keystroke on a line that contains a ";" (semicolon) followed by a command, or execute arbitrary Ex commands by entering an argument after a (2) "Ctrl-]" (control close-square-bracket) or (3) "g]" (g close-square-bracket) keystroke sequence, a different issue than CVE-2008-2712.

CVSS vector

AV:N/AC:M/C:C/I:C/A:CExploitability: 8.6 | Impact: 10.0

Affected Packages3 packages

▶debiandebian/vim< vim 2:7.2.010-1 (bookworm)

▶Debianvim/vim< 2:7.2.010-1+3

▶NVDvim/vim7.2+18

Patches

Patch: groups.google.com ↗Patch: groups.google.com ↗Patch: groups.google.com ↗

🔴Vulnerability Details

GHSA

GHSA-2gqj-jjm7-f6m7: Vim 3↗2022-05-02

▶

OSV

CVE-2008-4101: Vim 3↗2008-09-18

▶

💥Exploits & PoCs

Exploit-DB

Vim 7.1.314 - Insufficient Shell Escaping Multiple Command Execution Vulnerabilities↗2008-08-19

▶

📋Vendor Advisories

Ubuntu

Vim vulnerabilities↗2009-01-27

▶

Red Hat

vim: arbitrary code execution in commands: K, Control-], g]↗2008-08-22

▶

Debian

CVE-2008-4101: vim - Vim 3.0 through 7.x before 7.2.010 does not properly escape characters, which al...↗2008

▶

💬Community

Bugzilla

CVE-2008-4101 vim: arbitrary code execution in commands: K, Control-], g]↗2008-09-11

▶