Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

Unknown

Privileges Required

Unknown

Attack Vector

Unknown

0

CVE-2008-2712

Disclosure Date: June 16, 2008 •

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Vim 7.1.314, 6.4, and other versions allows user-assisted remote attackers to execute arbitrary commands via Vim scripts that do not properly sanitize inputs before invoking the execute or system functions, as demonstrated using (1) filetype.vim, (3) xpm.vim, (4) gzip_vim, and (5) netrw. NOTE: the originally reported version was 7.1.314, but the researcher actually found this set of issues in 7.1.298. NOTE: the zipplugin issue (originally vector 2 in this identifier) has been subsumed by CVE-2008-3075.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

None

Impact Score:

Unknown

Exploitability Score:

Unknown

Vector:

Attack Vector (AV):

Unknown

Attack Complexity (AC):

Unknown

Privileges Required (PR):

Unknown

User Interaction (UI):

Unknown

Scope (S):

Unknown

Confidentiality (C):

Unknown

Integrity (I):

Unknown

Availability (A):

Unknown

Vendors

canonical,
vim

Products

ubuntu linux 6.06,
ubuntu linux 7.10,
ubuntu linux 8.04,
ubuntu linux 8.10,
vim

References

Canonical

CVE-2008-2712 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2712)

BID-31681 (http://www.securityfocus.com/bid/31681)

BID-29715 (http://www.securityfocus.com/bid/29715)

Advisory

http://www.vmware.com/security/advisories/VMSA-2009-0004.html

http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00004.html

http://www.redhat.com/support/errata/RHSA-2008-0618.html

USN-712-1 (http://www.ubuntu.com/usn/USN-712-1)

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6238

XF-vim-scripts-command-execution(43083) (https://exchange.xforce.ibmcloud.com/vulnerabilities/43083)

SECUNIA-32858 (http://secunia.com/advisories/32858)

SECUNIA-33410 (http://secunia.com/advisories/33410)

APPLE-SA-2010-03-29-1 (http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html)

http://www.redhat.com/support/errata/RHSA-2008-0580.html

http://support.avaya.com/elmodocs2/security/ASA-2009-001.htm

SECUNIA-34418 (http://secunia.com/advisories/34418)

ADV-2009-0904 (http://www.vupen.com/english/advisories/2009/0904)

ADV-2009-0033 (http://www.vupen.com/english/advisories/2009/0033)

20080811 rPSA-2008-0247-1 gvim vim vim-minimal (http://www.securityfocus.com/archive/1/495319/100/0/threaded)

20080614 Re: Collection of Vulnerabilities in Fully Patched Vim 7.1 (http://www.securityfocus.com/archive/1/493353/100/0/threaded)

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11109

20090401 VMSA-2009-0004 ESX Service Console updates for openssl, bind, and vim (http://www.securityfocus.com/archive/1/502322/100/0/threaded)

[oss-security] 20080616 CVE Id request: vim (http://www.openwall.com/lists/oss-security/2008/06/16/2)

20080701 Re: Collection of Vulnerabilities in Fully Patched Vim 7.1 (http://marc.info?l=bugtraq&m=121494431426308&w=2)

ADV-2008-1851 (http://www.vupen.com/english/advisories/2008/1851/references)

http://support.avaya.com/elmodocs2/security/ASA-2008-457.htm

SECUNIA-30731 (http://secunia.com/advisories/30731)

SECUNIA-32222 (http://secunia.com/advisories/32222)

http://support.apple.com/kb/HT4077

https://issues.rpath.com/browse/RPL-2622

SREASON-3951 (http://securityreason.com/securityalert/3951)

http://www.mandriva.com/security/advisories?name=MDVSA-2008:236

ADV-2008-2780 (http://www.vupen.com/english/advisories/2008/2780)

[oss-security] 20081015 Vim CVE issues cleanup (plugins tar.vim, zip.vim) - CVE-2008-3074 and CVE-2008-3075 (http://www.openwall.com/lists/oss-security/2008/10/15/1)

SECUNIA-32864 (http://secunia.com/advisories/32864)

SECTRACK-1020293 (http://www.securitytracker.com/id?1020293)

APPLE-SA-2008-10-09 (http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html)

http://support.apple.com/kb/HT3216

http://wiki.rpath.com/Advisories:rPSA-2008-0247

http://www.redhat.com/support/errata/RHSA-2008-0617.html

20080613 Collection of Vulnerabilities in Fully Patched Vim 7.1 (http://www.securityfocus.com/archive/1/493352/100/0/threaded)

Miscellaneous

http://www.rdancer.org/vulnerablevim.html

Rapid7

Technical Analysis