FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2008-2712

This CVE name corresponds to:

Entered Topic
2008-06-21 vim -- Vim Shell Command Injection Vulnerabilities

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

CVE-2008-2712 at cve.mitre.org

Details

Type Candidate
Name CVE-2008-2712
Phase Assigned(20080616)

Description

Vim 7.1.314, 6.4, and other versions allows user-assisted remote attackers to execute arbitrary commands via Vim scripts that do not properly sanitize inputs before invoking the execute or system functions, as demonstrated using (1) filetype.vim, (2) zipplugin, (3) xpm.vim, (4) gzip_vim, and (5) netrw.

References

Source Reference
BUGTRAQ 20080613 Collection of Vulnerabilities in Fully Patched Vim 7.1
BUGTRAQ 20080614 Re: Collection of Vulnerabilities in Fully Patched Vim 7.1
MISC http://www.rdancer.org/vulnerablevim.html
MLIST [oss-security] CVE Id request: vim
BID 29715
FRSIRT ADV-2008-1851
SECTRACK 1020293
SECUNIA 30731
XF vim-scripts-command-execution(43083)

Copyright © 2005 The MITRE Corporation.

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.