FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2008-2712

This CVE name corresponds to:

Entered Topic
2008-06-21 vim -- Vim Shell Command Injection Vulnerabilities

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

CVE-2008-2712 at cve.mitre.org

Details

Type Candidate
Name CVE-2008-2712
Phase Assigned(20080616)

Description

Vim 7.1.314, 6.4, and other versions allows user-assisted remote attackers to execute arbitrary commands via Vim scripts that do not properly sanitize inputs before invoking the execute or system functions, as demonstrated using (1) filetype.vim, (3) xpm.vim, (4) gzip_vim, and (5) netrw. NOTE: the originally reported version was 7.1.314, but the researcher actually found this set of issues in 7.1.298. NOTE: the zipplugin issue (originally vector 2 in this identifier) has been subsumed by CVE-2008-3075.

References

Source Reference
BUGTRAQ 20080613 Collection of Vulnerabilities in Fully Patched Vim 7.1
BUGTRAQ 20080614 Re: Collection of Vulnerabilities in Fully Patched Vim 7.1
BUGTRAQ 20080811 rPSA-2008-0247-1 gvim vim vim-minimal
BUGTRAQ 20080701 Re: Collection of Vulnerabilities in Fully Patched Vim 7.1
BUGTRAQ 20090401 VMSA-2009-0004 ESX Service Console updates for openssl, bind, and vim
MISC http://www.rdancer.org/vulnerablevim.html
MLIST [oss-security] 20080616 CVE Id request: vim
MLIST [oss-security] 20081015 Vim CVE issues cleanup (plugins tar.vim, zip.vim) - CVE-2008-3074 and CVE-2008-3075
CONFIRM http://wiki.rpath.com/Advisories:rPSA-2008-0247
CONFIRM https://issues.rpath.com/browse/RPL-2622
CONFIRM http://support.apple.com/kb/HT3216
CONFIRM http://support.avaya.com/elmodocs2/security/ASA-2009-001.htm
CONFIRM http://support.avaya.com/elmodocs2/security/ASA-2008-457.htm
CONFIRM http://www.vmware.com/security/advisories/VMSA-2009-0004.html
CONFIRM http://support.apple.com/kb/HT4077
APPLE APPLE-SA-2008-10-09
APPLE APPLE-SA-2010-03-29-1
MANDRIVA MDVSA-2008:236
REDHAT RHSA-2008:0617
REDHAT RHSA-2008:0580
REDHAT RHSA-2008:0618
SUSE SUSE-SR:2009:007
UBUNTU USN-712-1
BID 29715
BID 31681
OVAL oval:org.mitre.oval:def:11109
OVAL oval:org.mitre.oval:def:6238
SECUNIA 34418
SECUNIA 32858
SECUNIA 32864
VUPEN ADV-2008-1851
VUPEN ADV-2008-2780
VUPEN ADV-2009-0033
SECTRACK 1020293
SECUNIA 30731
SECUNIA 32222
SECUNIA 33410
SREASON 3951
VUPEN ADV-2009-0904
XF vim-scripts-command-execution(43083)

Copyright © 2005 The MITRE Corporation.

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.