CVE-2019-20807 — OS Command Injection in VIM

CWE-78 — OS Command Injection14 documents10 sources

Severity

5.3MEDIUMNVD

OSV5.5

EPSS

0.2%

top 57.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

VIM Apple MAC OS X Canonical Ubuntu Linux +4 more

Timeline

PublishedMay 28

Latest updateMay 24

Description

In Vim before 8.1.0881, users can circumvent the rvim restricted mode and execute arbitrary OS commands via scripting interfaces (e.g., Python, Ruby, or Lua).

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:LExploitability: 1.8 | Impact: 3.4

Affected Packages7 packages

▶NVDvim/vim< 8.1.0881

▶Debianvim/vim< 2:8.1.2136-1+3

▶Ubuntuvim/vim< 2:7.4.1689-3ubuntu1.5+5

▶NVDopensuse/leap15.1

▶NVDapple/mac_os_x10.13.6, 10.14.6+1

Also affects: Debian Linux 9.0, Ubuntu Linux 16.04, 18.04

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-f76x-65j4-28x3: In Vim before 8↗2022-05-24

▶

OSV

vim vulnerabilities↗2021-11-15

▶

OSV

vim vulnerabilities↗2020-10-14

▶

CVEList

CVE-2019-20807: In Vim before 8↗2020-05-28

▶

OSV

CVE-2019-20807: In Vim before 8↗2020-05-28

▶

📋Vendor Advisories

Ubuntu

Vim vulnerabilities↗2021-11-15

▶

Ubuntu

Vim vulnerabilities↗2020-10-14

▶

Apple

CVE-2019-20807: macOS Catalina 10.15.6, Security Update 2020-004 Mojave, Security Update 2020-004 High Sierra↗2020-07-15

▶

Microsoft

In Vim before 8.1.0881 users can circumvent the rvim restricted mode and execute arbitrary OS commands via scripting interfaces (e.g. Python Ruby or Lua).↗2020-05-12

▶

Red Hat

vim: users can execute arbitrary OS commands via scripting interfaces in the rvim restricted mode↗2020-02-08

▶

💬Community

Bugzilla

CVE-2019-20807 vim: users can execute arbitrary OS commands via scripting interfaces in the rvim restricted mode [fedora-all]↗2020-06-02

▶

Bugzilla

CVE-2019-20807 vim: users can execute arbitrary OS commands via scripting interfaces in the rvim restricted mode↗2020-06-01

▶