CVE-2008-4677 — Netrw vulnerability

CWE-2556 documents6 sources

Severity

4.3MEDIUMNVD

EPSS

0.7%

top 26.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

VIM Netrw Debian VIM

Timeline

PublishedOct 22

Latest updateMay 17

Description

autoload/netrw.vim (aka the Netrw Plugin) 109, 131, and other versions before 133k for Vim 7.1.266, other 7.1 versions, and 7.2 stores credentials for an FTP session, and sends those credentials when attempting to establish subsequent FTP sessions to servers on different hosts, which allows remote FTP servers to obtain sensitive information in opportunistic circumstances by logging usernames and passwords. NOTE: the upstream vendor disputes a vector involving different ports on the same host, st…

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages2 packages

▶NVDvim/netrw15 versions+14

▶debiandebian/vim

🔴Vulnerability Details

GHSA

GHSA-q2qw-7ccw-vchv: autoload/netrw↗2022-05-17

▶

OSV

CVE-2008-4677: autoload/netrw↗2008-10-22

▶

📋Vendor Advisories

Red Hat

vim: netrw plugin: FTP username and password disclosure↗2008-08-12

▶

Debian

CVE-2008-4677: vim - autoload/netrw.vim (aka the Netrw Plugin) 109, 131, and other versions before 13...↗2008

▶

💬Community

Bugzilla

CVE-2008-4677 vim: netrw plugin: FTP username and password disclosure↗2008-09-10

▶