Computer Security
[EN] securityvulns.ru no-pyccku


vim multiple security vulnerabilities
updated since 14.06.2008
Published:25.08.2008
Source:
SecurityVulns ID:9086
Type:local
Threat Level:
5/10
Description:Code execution on file open.
Affected:VIM : vim 6.4
 VIM : vim 7.1
CVE:CVE-2008-2712 (Vim 7.1.314, 6.4, and other versions allows user-assisted remote attackers to execute arbitrary commands via Vim scripts that do not properly sanitize inputs before invoking the execute or system functions, as demonstrated using (1) filetype.vim, (3) xpm.vim, (4) gzip_vim, and (5) netrw. NOTE: the originally reported version was 7.1.314, but the researcher actually found this set of issues in 7.1.298. NOTE: the zipplugin issue (originally vector 2 in this identifier) has been subsumed by CVE-2008-3075.)
 CVE-2008-2712 (Vim 7.1.314, 6.4, and other versions allows user-assisted remote attackers to execute arbitrary commands via Vim scripts that do not properly sanitize inputs before invoking the execute or system functions, as demonstrated using (1) filetype.vim, (3) xpm.vim, (4) gzip_vim, and (5) netrw. NOTE: the originally reported version was 7.1.314, but the researcher actually found this set of issues in 7.1.298. NOTE: the zipplugin issue (originally vector 2 in this identifier) has been subsumed by CVE-2008-3075.)
Original documentdocumentJan Minar, Vim: Arbitrary Code Execution in Commands: K, Control-], g] (25.08.2008)
 documentJan Minar, Vim 7.2c.002 Fixes Arbitrary Command Execution when Handling Tar Archives (13.08.2008)
 documentJan Minar, Vim: Netrw: FTP User Name and Password Disclosure (13.08.2008)
 documentJan Minar, Vim: Unfixed Vulnerabilities in Tar Plugin Version 20 (08.08.2008)
 documentJan Minar, Vim: Flawed Fix of Arbitrary Code Execution Vulnerability in filetype.vim (24.07.2008)
 documentJan Minar, Vim: Improper Implementation of shellescape()/Arbitrary Code Execution (22.07.2008)
 documentJan Minar, Vim: Insecure Temporary File Creation During Build: Arbitrary Code Execution (22.07.2008)
 documentJan Minar, Collection of Vulnerabilities in Fully Patched Vim 7.1 (14.06.2008)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod