Vulnerabilities > CVE-2008-2712 - Improper Input Validation vulnerability in VIM

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
vim
canonical
CWE-20
critical
nessus
exploit available

Summary

Vim 7.1.314, 6.4, and other versions allows user-assisted remote attackers to execute arbitrary commands via Vim scripts that do not properly sanitize inputs before invoking the execute or system functions, as demonstrated using (1) filetype.vim, (3) xpm.vim, (4) gzip_vim, and (5) netrw. NOTE: the originally reported version was 7.1.314, but the researcher actually found this set of issues in 7.1.298. NOTE: the zipplugin issue (originally vector 2 in this identifier) has been subsumed by CVE-2008-3075.

Vulnerable Configurations

Part Description Count
Application
Vim
600
OS
Canonical
4

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Server Side Include (SSI) Injection
    An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
  • Cross Zone Scripting
    An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
  • Cross Site Scripting through Log Files
    An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
  • Command Line Execution through SQL Injection
    An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.

Exploit-Db

descriptionVim 7.x Vim Script Multiple Command Execution Vulnerabilities. CVE-2008-2712. Local exploit for linux platform
idEDB-ID:31911
last seen2016-02-03
modified2008-06-14
published2008-06-14
reporterJan Minar
sourcehttps://www.exploit-db.com/download/31911/
titleVim 7.x - Vim Script Multiple Command Execution Vulnerabilities

Nessus

  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20081125_VIM_ON_SL3_X.NASL
    descriptionSeveral input sanitization flaws were found in Vim
    last seen2020-06-01
    modified2020-06-02
    plugin id60500
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60500
    titleScientific Linux Security Update : vim on SL3.x, SL4.x, SL5.x i386/x86_64
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text is (C) Scientific Linux.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(60500);
      script_version("1.6");
      script_cvs_date("Date: 2019/10/25 13:36:18");
    
      script_cve_id("CVE-2007-2953", "CVE-2008-2712", "CVE-2008-3074", "CVE-2008-3075", "CVE-2008-3076", "CVE-2008-3432", "CVE-2008-4101");
    
      script_name(english:"Scientific Linux Security Update : vim on SL3.x, SL4.x, SL5.x i386/x86_64");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Scientific Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several input sanitization flaws were found in Vim's keyword and tag
    handling. If Vim looked up a document's maliciously crafted tag or
    keyword, it was possible to execute arbitrary code as the user running
    Vim. (CVE-2008-4101)
    
    SL3 and SL4 Only: A heap-based overflow flaw was discovered in Vim's
    expansion of file name patterns with shell wildcards. An attacker
    could create a specially crafted file or directory name that, when
    opened by Vim, caused the application to crash or, possibly, execute
    arbitrary code. (CVE-2008-3432)
    
    SL5 Only: Multiple security flaws were found in netrw.vim, the Vim
    plug-in providing file reading and writing over the network. If a user
    opened a specially crafted file or directory with the netrw plug-in,
    it could result in arbitrary code execution as the user running Vim.
    (CVE-2008-3076)
    
    SL5 Only: A security flaw was found in zip.vim, the Vim plug-in that
    handles ZIP archive browsing. If a user opened a ZIP archive using the
    zip.vim plug-in, it could result in arbitrary code execution as the
    user running Vim. (CVE-2008-3075)
    
    SL5 Only: A security flaw was found in tar.vim, the Vim plug-in which
    handles TAR archive browsing. If a user opened a TAR archive using the
    tar.vim plug-in, it could result in arbitrary code execution as the
    user runnin Vim. (CVE-2008-3074)
    
    Several input sanitization flaws were found in various Vim system
    functions. If a user opened a specially crafted file, it was possible
    to execute arbitrary code as the user running Vim. (CVE-2008-2712)
    
    Ulf Härnhammar, of Secunia Research, discovered a format string
    flaw in Vim's help tag processor. If a user was tricked into executing
    the 'helptags' command on malicious data, arbitrary code could be
    executed with the permissions of the user running Vim. (CVE-2007-2953)"
      );
      # https://listserv.fnal.gov/scripts/wa.exe?A2=ind0811&L=scientific-linux-errata&T=0&P=1936
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?7ee91c3b"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_cwe_id(20, 78, 94, 119);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/11/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/01");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Scientific Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux");
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"SL3", reference:"vim-X11-6.3.046-0.30E.11")) flag++;
    if (rpm_check(release:"SL3", reference:"vim-common-6.3.046-0.30E.11")) flag++;
    if (rpm_check(release:"SL3", reference:"vim-enhanced-6.3.046-0.30E.11")) flag++;
    if (rpm_check(release:"SL3", reference:"vim-minimal-6.3.046-0.30E.11")) flag++;
    
    if (rpm_check(release:"SL4", reference:"vim-X11-6.3.046-1.el4_7.5z")) flag++;
    if (rpm_check(release:"SL4", reference:"vim-common-6.3.046-1.el4_7.5z")) flag++;
    if (rpm_check(release:"SL4", reference:"vim-enhanced-6.3.046-1.el4_7.5z")) flag++;
    if (rpm_check(release:"SL4", reference:"vim-minimal-6.3.046-1.el4_7.5z")) flag++;
    
    if (rpm_check(release:"SL5", reference:"vim-X11-7.0.109-4.el5_2.4z")) flag++;
    if (rpm_check(release:"SL5", reference:"vim-common-7.0.109-4.el5_2.4z")) flag++;
    if (rpm_check(release:"SL5", reference:"vim-enhanced-7.0.109-4.el5_2.4z")) flag++;
    if (rpm_check(release:"SL5", reference:"vim-minimal-7.0.109-4.el5_2.4z")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2008-236.NASL
    descriptionSeveral vulnerabilities were found in the vim editor : A number of input sanitization flaws were found in various vim system functions. If a user were to open a specially crafted file, it would be possible to execute arbitrary code as the user running vim (CVE-2008-2712). Ulf H&Atilde;&curren;rnhammar of Secunia Research found a format string flaw in vim
    last seen2020-06-01
    modified2020-06-02
    plugin id36821
    published2009-04-23
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/36821
    titleMandriva Linux Security Advisory : vim (MDVSA-2008:236-1)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandriva Linux Security Advisory MDVSA-2008:236. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(36821);
      script_version ("1.15");
      script_cvs_date("Date: 2019/08/02 13:32:50");
    
      script_cve_id("CVE-2007-2953", "CVE-2008-2712", "CVE-2008-2953", "CVE-2008-3074", "CVE-2008-3075", "CVE-2008-3076", "CVE-2008-4101", "CVE-2008-4677");
      script_bugtraq_id(25095);
      script_xref(name:"MDVSA", value:"2008:236-1");
    
      script_name(english:"Mandriva Linux Security Advisory : vim (MDVSA-2008:236-1)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandriva Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several vulnerabilities were found in the vim editor :
    
    A number of input sanitization flaws were found in various vim system
    functions. If a user were to open a specially crafted file, it would
    be possible to execute arbitrary code as the user running vim
    (CVE-2008-2712).
    
    Ulf H&Atilde;&curren;rnhammar of Secunia Research found a format
    string flaw in vim's help tags processor. If a user were tricked into
    executing the helptags command on malicious data, it could result in
    the execution of arbitrary code as the user running vim
    (CVE-2008-2953).
    
    A flaw was found in how tar.vim handled TAR archive browsing. If a
    user were to open a special TAR archive using the plugin, it could
    result in the execution of arbitrary code as the user running vim
    (CVE-2008-3074).
    
    A flaw was found in how zip.vim handled ZIP archive browsing. If a
    user were to open a special ZIP archive using the plugin, it could
    result in the execution of arbitrary code as the user running vim
    (CVE-2008-3075).
    
    A number of security flaws were found in netrw.vim, the vim plugin
    that provides the ability to read and write files over the network. If
    a user opened a specially crafted file or directory with the netrw
    plugin, it could result in the execution of arbitrary code as the user
    running vim (CVE-2008-3076).
    
    A number of input validation flaws were found in vim's keyword and tag
    handling. If vim looked up a document's maliciously crafted tag or
    keyword, it was possible to execute arbitary code as the user running
    vim (CVE-2008-4101).
    
    A vulnerability was found in certain versions of netrw.vim where it
    would send FTP credentials stored for an FTP session to subsequent FTP
    sessions to servers on different hosts, exposing FTP credentials to
    remote hosts (CVE-2008-4677).
    
    This update provides vim 7.2 (patchlevel 65) which corrects all of
    these issues and introduces a number of new features and bug fixes.
    
    Update :
    
    The previous vim update incorrectly introduced a requirement on
    libruby and also conflicted with a file from the git-core package (in
    contribs). These issues have been corrected with these updated
    packages."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(20, 78, 94, 255);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:vim-X11");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:vim-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:vim-enhanced");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:vim-minimal");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2009.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/12/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK2008.0", reference:"vim-X11-7.2.065-9.3mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", reference:"vim-common-7.2.065-9.3mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", reference:"vim-enhanced-7.2.065-9.3mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", reference:"vim-minimal-7.2.065-9.3mdv2008.0", yank:"mdv")) flag++;
    
    if (rpm_check(release:"MDK2008.1", reference:"vim-X11-7.2.065-9.3mdv2008.1", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.1", reference:"vim-common-7.2.065-9.3mdv2008.1", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.1", reference:"vim-enhanced-7.2.065-9.3mdv2008.1", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.1", reference:"vim-minimal-7.2.065-9.3mdv2008.1", yank:"mdv")) flag++;
    
    if (rpm_check(release:"MDK2009.0", reference:"vim-X11-7.2.065-9.3mdv2009.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2009.0", reference:"vim-common-7.2.065-9.3mdv2009.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2009.0", reference:"vim-enhanced-7.2.065-9.3mdv2009.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2009.0", reference:"vim-minimal-7.2.065-9.3mdv2009.0", yank:"mdv")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2008-0617.NASL
    descriptionFrom Red Hat Security Advisory 2008:0617 : Updated vim packages that fix various security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Vim (Visual editor IMproved) is an updated and improved version of the vi editor. Several input sanitization flaws were found in Vim
    last seen2020-06-01
    modified2020-06-02
    plugin id67732
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67732
    titleOracle Linux 3 / 4 : vim (ELSA-2008-0617)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2008:0617 and 
    # Oracle Linux Security Advisory ELSA-2008-0617 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(67732);
      script_version("1.12");
      script_cvs_date("Date: 2019/10/25 13:36:07");
    
      script_cve_id("CVE-2007-2953", "CVE-2008-2712", "CVE-2008-3432", "CVE-2008-4101");
      script_xref(name:"RHSA", value:"2008:0617");
    
      script_name(english:"Oracle Linux 3 / 4 : vim (ELSA-2008-0617)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "From Red Hat Security Advisory 2008:0617 :
    
    Updated vim packages that fix various security issues are now
    available for Red Hat Enterprise Linux 3 and 4.
    
    This update has been rated as having moderate security impact by the
    Red Hat Security Response Team.
    
    Vim (Visual editor IMproved) is an updated and improved version of the
    vi editor.
    
    Several input sanitization flaws were found in Vim's keyword and tag
    handling. If Vim looked up a document's maliciously crafted tag or
    keyword, it was possible to execute arbitrary code as the user running
    Vim. (CVE-2008-4101)
    
    A heap-based overflow flaw was discovered in Vim's expansion of file
    name patterns with shell wildcards. An attacker could create a
    specially crafted file or directory name that, when opened by Vim,
    caused the application to crash or, possibly, execute arbitrary code.
    (CVE-2008-3432)
    
    Several input sanitization flaws were found in various Vim system
    functions. If a user opened a specially crafted file, it was possible
    to execute arbitrary code as the user running Vim. (CVE-2008-2712)
    
    Ulf Harnhammar, of Secunia Research, discovered a format string flaw
    in Vim's help tag processor. If a user was tricked into executing the
    'helptags' command on malicious data, arbitrary code could be executed
    with the permissions of the user running Vim. (CVE-2007-2953)
    
    All Vim users are advised to upgrade to these updated packages, which
    contain backported patches to correct these issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2008-November/000814.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2008-November/000815.html"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected vim packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_cwe_id(20, 119);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:vim-X11");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:vim-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:vim-enhanced");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:vim-minimal");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:3");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:4");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2007/07/31");
      script_set_attribute(attribute:"patch_publication_date", value:"2008/11/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(3|4)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 3 / 4", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    
    flag = 0;
    if (rpm_check(release:"EL3", cpu:"i386", reference:"vim-X11-6.3.046-0.30E.11")) flag++;
    if (rpm_check(release:"EL3", cpu:"x86_64", reference:"vim-X11-6.3.046-0.30E.11")) flag++;
    if (rpm_check(release:"EL3", cpu:"i386", reference:"vim-common-6.3.046-0.30E.11")) flag++;
    if (rpm_check(release:"EL3", cpu:"x86_64", reference:"vim-common-6.3.046-0.30E.11")) flag++;
    if (rpm_check(release:"EL3", cpu:"i386", reference:"vim-enhanced-6.3.046-0.30E.11")) flag++;
    if (rpm_check(release:"EL3", cpu:"x86_64", reference:"vim-enhanced-6.3.046-0.30E.11")) flag++;
    if (rpm_check(release:"EL3", cpu:"i386", reference:"vim-minimal-6.3.046-0.30E.11")) flag++;
    if (rpm_check(release:"EL3", cpu:"x86_64", reference:"vim-minimal-6.3.046-0.30E.11")) flag++;
    
    if (rpm_check(release:"EL4", reference:"vim-X11-6.3.046-1.el4_7.5z")) flag++;
    if (rpm_check(release:"EL4", reference:"vim-common-6.3.046-1.el4_7.5z")) flag++;
    if (rpm_check(release:"EL4", reference:"vim-enhanced-6.3.046-1.el4_7.5z")) flag++;
    if (rpm_check(release:"EL4", reference:"vim-minimal-6.3.046-1.el4_7.5z")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "vim-X11 / vim-common / vim-enhanced / vim-minimal");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_GVIM-6025.NASL
    descriptionThe VI Improved editor (vim) received bugfixes for some code execution problems. - Arbitrary code execution in vim helper plugins filetype.vim, zipplugin, xpm.vim, gzip_vim, and netrw were fix ed. CVE-2008-4101: Arbitrary code execution when pressing K, ctrl-] or g] depending on the text under the cursor. (CVE-2008-2712)
    last seen2020-06-01
    modified2020-06-02
    plugin id41519
    published2009-09-24
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/41519
    titleSuSE 10 Security Update : vim (ZYPP Patch Number 6025)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The text description of this plugin is (C) Novell, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(41519);
      script_version ("1.10");
      script_cvs_date("Date: 2019/10/25 13:36:36");
    
      script_cve_id("CVE-2008-2712", "CVE-2008-4101");
    
      script_name(english:"SuSE 10 Security Update : vim (ZYPP Patch Number 6025)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SuSE 10 host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The VI Improved editor (vim) received bugfixes for some code execution
    problems.
    
      - Arbitrary code execution in vim helper plugins
        filetype.vim, zipplugin, xpm.vim, gzip_vim, and netrw
        were fix ed. CVE-2008-4101: Arbitrary code execution
        when pressing K, ctrl-] or g] depending on the text
        under the cursor. (CVE-2008-2712)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2008-2712.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://support.novell.com/security/cve/CVE-2008-4101.html"
      );
      script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 6025.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_cwe_id(20);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2009/02/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/09/24");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled.");
    if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE.");
    if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages.");
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) exit(1, "Failed to determine the architecture type.");
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented.");
    
    
    flag = 0;
    if (rpm_check(release:"SLED10", sp:2, reference:"gvim-6.4.6-19.15")) flag++;
    if (rpm_check(release:"SLED10", sp:2, reference:"vim-6.4.6-19.15")) flag++;
    if (rpm_check(release:"SLES10", sp:2, reference:"gvim-6.4.6-19.15")) flag++;
    if (rpm_check(release:"SLES10", sp:2, reference:"vim-6.4.6-19.15")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else exit(0, "The host is not affected.");
    
  • NASL familyVMware ESX Local Security Checks
    NASL idVMWARE_VMSA-2009-0004.NASL
    descriptiona. Updated OpenSSL package for the Service Console fixes a security issue. OpenSSL 0.9.7a-33.24 and earlier does not properly check the return value from the EVP_VerifyFinal function, which could allow a remote attacker to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2008-5077 to this issue. b. Update bind package for the Service Console fixes a security issue. A flaw was discovered in the way Berkeley Internet Name Domain (BIND) checked the return value of the OpenSSL DSA_do_verify function. On systems using DNSSEC, a malicious zone could present a malformed DSA certificate and bypass proper certificate validation, allowing spoofing attacks. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-0025 to this issue. c. Updated vim package for the Service Console addresses several security issues. Several input flaws were found in Visual editor IMproved
    last seen2020-06-01
    modified2020-06-02
    plugin id40389
    published2009-07-27
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/40389
    titleVMSA-2009-0004 : ESX Service Console updates for openssl, bind, and vim
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from VMware Security Advisory 2009-0004. 
    # The text itself is copyright (C) VMware Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(40389);
      script_version("1.28");
      script_cvs_date("Date: 2018/08/06 14:03:16");
    
      script_cve_id("CVE-2007-2953", "CVE-2008-2712", "CVE-2008-3432", "CVE-2008-4101", "CVE-2008-5077", "CVE-2009-0021", "CVE-2009-0025", "CVE-2009-0046", "CVE-2009-0047", "CVE-2009-0048", "CVE-2009-0049", "CVE-2009-0050", "CVE-2009-0051", "CVE-2009-0124", "CVE-2009-0125", "CVE-2009-0127", "CVE-2009-0128", "CVE-2009-0130");
      script_bugtraq_id(25095, 33150, 33151);
      script_xref(name:"VMSA", value:"2009-0004");
    
      script_name(english:"VMSA-2009-0004 : ESX Service Console updates for openssl, bind, and vim");
      script_summary(english:"Checks esxupdate output for the patches");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote VMware ESX host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "a. Updated OpenSSL package for the Service Console fixes a
       security issue.
    
       OpenSSL 0.9.7a-33.24 and earlier does not properly check the return
       value from the EVP_VerifyFinal function, which could allow a remote
       attacker to bypass validation of the certificate chain via a
       malformed SSL/TLS signature for DSA and ECDSA keys.
    
       The Common Vulnerabilities and Exposures project (cve.mitre.org)
       has assigned the name CVE-2008-5077 to this issue.
    
    b. Update bind package for the Service Console fixes a security issue.
    
       A flaw was discovered in the way Berkeley Internet Name Domain
       (BIND) checked the return value of the OpenSSL DSA_do_verify
       function. On systems using DNSSEC, a malicious zone could present
       a malformed DSA certificate and bypass proper certificate
       validation, allowing spoofing attacks.
    
       The Common Vulnerabilities and Exposures project (cve.mitre.org)
       has assigned the name CVE-2009-0025 to this issue.
    
    c. Updated vim package for the Service Console addresses several
       security issues.
    
       Several input flaws were found in Visual editor IMproved's (Vim)
       keyword and tag handling. If Vim looked up a document's maliciously
       crafted tag or keyword, it was possible to execute arbitrary code as
       the user running Vim.
    
       The Common Vulnerabilities and Exposures project (cve.mitre.org)
       has assigned the name CVE-2008-4101 to this issue.
    
       A heap-based overflow flaw was discovered in Vim's expansion of file
       name patterns with shell wildcards. An attacker could create a
       specially crafted file or directory name, when opened by Vim causes
       the application to stop responding or execute arbitrary code.
    
       The Common Vulnerabilities and Exposures project (cve.mitre.org)
       has assigned the name CVE-2008-3432 to this issue.
    
       Several input flaws were found in various Vim system functions. If a
       user opened a specially crafted file, it was possible to execute
       arbitrary code as the user running Vim.
    
       The Common Vulnerabilities and Exposures project (cve.mitre.org)
       has assigned the name CVE-2008-2712 to this issue.
    
       A format string flaw was discovered in Vim's help tag processor. If
       a user was tricked into executing the 'helptags' command on
       malicious data, arbitrary code could be executed with the
       permissions of the user running VIM.
    
       The Common Vulnerabilities and Exposures project (cve.mitre.org)
       has assigned the name CVE-2007-2953 to this issue."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://lists.vmware.com/pipermail/security-announce/2010/000077.html"
      );
      script_set_attribute(attribute:"solution", value:"Apply the missing patches.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_cwe_id(20, 119, 287);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:2.5.5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:3.0.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:3.0.3");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:3.5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:4.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2009/03/31");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/07/27");
      script_set_attribute(attribute:"vuln_publication_date", value:"2007/07/27");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");
      script_family(english:"VMware ESX Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/VMware/release", "Host/VMware/version");
      script_require_ports("Host/VMware/esxupdate", "Host/VMware/esxcli_software_vibs");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("vmware_esx_packages.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/VMware/release")) audit(AUDIT_OS_NOT, "VMware ESX / ESXi");
    if (
      !get_kb_item("Host/VMware/esxcli_software_vibs") &&
      !get_kb_item("Host/VMware/esxupdate")
    ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    init_esx_check(date:"2009-03-31");
    flag = 0;
    
    
    if (esx_check(ver:"ESX 2.5.5", patch:"13")) flag++;
    
    if (esx_check(ver:"ESX 3.0.2", patch:"ESX-1008406")) flag++;
    if (esx_check(ver:"ESX 3.0.2", patch:"ESX-1008408")) flag++;
    if (esx_check(ver:"ESX 3.0.2", patch:"ESX-1008409")) flag++;
    
    if (
      esx_check(
        ver           : "ESX 3.0.3",
        patch         : "ESX303-200903403-SG",
        patch_updates : make_list("ESX303-Rollup01", "ESX303-Update01")
      )
    ) flag++;
    if (
      esx_check(
        ver           : "ESX 3.0.3",
        patch         : "ESX303-200903405-SG",
        patch_updates : make_list("ESX303-Rollup01", "ESX303-Update01")
      )
    ) flag++;
    if (
      esx_check(
        ver           : "ESX 3.0.3",
        patch         : "ESX303-200903406-SG",
        patch_updates : make_list("ESX303-Rollup01", "ESX303-Update01")
      )
    ) flag++;
    
    if (
      esx_check(
        ver           : "ESX 3.5.0",
        patch         : "ESX350-200904406-SG",
        patch_updates : make_list("ESX350-Update05", "ESX350-Update05a")
      )
    ) flag++;
    if (
      esx_check(
        ver           : "ESX 3.5.0",
        patch         : "ESX350-200904407-SG",
        patch_updates : make_list("ESX350-201002404-SG", "ESX350-Update05", "ESX350-Update05a")
      )
    ) flag++;
    if (
      esx_check(
        ver           : "ESX 3.5.0",
        patch         : "ESX350-200904408-SG",
        patch_updates : make_list("ESX350-201012401-SG", "ESX350-Update05", "ESX350-Update05a")
      )
    ) flag++;
    
    if (
      esx_check(
        ver           : "ESX 4.0",
        patch         : "ESX400-200912402-SG",
        patch_updates : make_list("ESX400-Update02", "ESX400-Update03", "ESX400-Update04")
      )
    ) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:esx_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2008-0618.NASL
    descriptionUpdated vim packages that fix security issues are now available for Red Hat Enterprise Linux 2.1. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Vim (Visual editor IMproved) is an updated and improved version of the vi editor. Several input sanitization flaws were found in Vim
    last seen2020-06-01
    modified2020-06-02
    plugin id34955
    published2008-11-25
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/34955
    titleRHEL 2.1 : vim (RHSA-2008:0618)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SECUPD2008-007.NASL
    descriptionThe remote host is running a version of Mac OS X 10.5 or 10.4 that does not have the security update 2008-007 applied. This security update contains fixes for the following products : - Apache - Certificates - ClamAV - ColorSync - CUPS - Finder - launchd - libxslt - MySQL Server - Networking - PHP - Postfix - PSNormalizer - QuickLook - rlogin - Script Editor - Single Sign-On - Tomcat - vim - Weblog
    last seen2020-06-01
    modified2020-06-02
    plugin id34374
    published2008-10-10
    reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/34374
    titleMac OS X Multiple Vulnerabilities (Security Update 2008-007)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_0_GVIM-090225.NASL
    descriptionThe VI Improved editor (vim) was updated to version 7.2.108 to fix various security problems and other bugs. CVE-2008-4677: The netrw plugin sent credentials to all servers. CVE-2009-0316: The python support used a search path including the current directory, allowing code injection when python code was used. CVE-2008-2712: Arbitrary code execution in vim helper plugins filetype.vim, zipplugin, xpm.vim, gzip_vim, and netrw were fixed. CVE-2008-3074: tarplugin code injection CVE-2008-3075: zipplugin code injection CVE-2008-3076: several netrw bugs, code injection CVE-2008-6235: code injection in the netrw plugin CVE-2008-4677: credential disclosure by netrw plugin
    last seen2020-06-01
    modified2020-06-02
    plugin id39980
    published2009-07-21
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/39980
    titleopenSUSE Security Update : gvim (gvim-561)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2008-0580.NASL
    descriptionUpdated vim packages that fix security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Vim (Visual editor IMproved) is an updated and improved version of the vi editor. Several input sanitization flaws were found in Vim
    last seen2020-06-01
    modified2020-06-02
    plugin id34953
    published2008-11-25
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/34953
    titleRHEL 5 : vim (RHSA-2008:0580)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_30866E6C3C6D11DD98C900163E000016.NASL
    descriptionRdancer.org reports : Improper quoting in some parts of Vim written in the Vim Script can lead to arbitrary code execution upon opening a crafted file.
    last seen2020-06-01
    modified2020-06-02
    plugin id33240
    published2008-06-24
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/33240
    titleFreeBSD : vim -- Vim Shell Command Injection Vulnerabilities (30866e6c-3c6d-11dd-98c9-00163e000016)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-712-1.NASL
    descriptionJan Minar discovered that Vim did not properly sanitize inputs before invoking the execute or system functions inside Vim scripts. If a user were tricked into running Vim scripts with a specially crafted input, an attacker could execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-2712) Ben Schmidt discovered that Vim did not properly escape characters when performing keyword or tag lookups. If a user were tricked into running specially crafted commands, an attacker could execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-4101). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id38044
    published2009-04-23
    reporterUbuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/38044
    titleUbuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : vim vulnerabilities (USN-712-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE9_12360.NASL
    descriptionThe VI Improved editor (vim) received bugfixes for some code execution problems. - Arbitrary code execution in vim helper plugins filetype.vim, zipplugin, xpm.vim, gzip_vim, and netrw were fixed. (CVE-2008-2712) - Arbitrary code execution when pressing K, ctrl-] or g] depending on the text under the cursor. (CVE-2008-4101) - The netrw plugin sent credentials to all servers. (CVE-2008-4677)
    last seen2020-06-01
    modified2020-06-02
    plugin id41283
    published2009-09-24
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/41283
    titleSuSE9 Security Update : ViM (YOU Patch Number 12360)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2008-0617.NASL
    descriptionUpdated vim packages that fix various security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Vim (Visual editor IMproved) is an updated and improved version of the vi editor. Several input sanitization flaws were found in Vim
    last seen2020-06-01
    modified2020-06-02
    plugin id37794
    published2009-04-23
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/37794
    titleCentOS 3 / 4 : vim (CESA-2008:0617)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_GVIM-6023.NASL
    descriptionThe VI Improved editor (vim) was updated to version 7.2.108 to fix various security problems and other bugs. CVE-2008-4677: The netrw plugin sent credentials to all servers. CVE-2009-0316: The python support used a search path including the current directory, allowing code injection when python code was used. CVE-2008-2712: Arbitrary code execution in vim helper plugins filetype.vim, zipplugin, xpm.vim, gzip_vim, and netrw were fixed. CVE-2008-3074: tarplugin code injection CVE-2008-3075: zipplugin code injection CVE-2008-3076: several netrw bugs, code injection CVE-2008-6235: code injection in the netrw plugin CVE-2008-4677: credential disclosure by netrw plugin
    last seen2020-06-01
    modified2020-06-02
    plugin id35921
    published2009-03-13
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/35921
    titleopenSUSE 10 Security Update : gvim (gvim-6023)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SECUPD2010-002.NASL
    descriptionThe remote host is running a version of Mac OS X 10.5 that does not have Security Update 2010-002 applied. This security update contains fixes for the following products : - AppKit - Application Firewall - AFP Server - Apache - ClamAV - CoreTypes - CUPS - curl - Cyrus IMAP - Cyrus SASL - Disk Images - Directory Services - Event Monitor - FreeRADIUS - FTP Server - iChat Server - Image RAW - Libsystem - Mail - Mailman - OS Services - Password Server - perl - PHP - PS Normalizer - Ruby - Server Admin - SMB - Tomcat - unzip - vim - Wiki Server - X11 - xar
    last seen2020-06-01
    modified2020-06-02
    plugin id45373
    published2010-03-29
    reporterThis script is Copyright (C) 2010-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/45373
    titleMac OS X Multiple Vulnerabilities (Security Update 2010-002)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2008-0580.NASL
    descriptionUpdated vim packages that fix security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Vim (Visual editor IMproved) is an updated and improved version of the vi editor. Several input sanitization flaws were found in Vim
    last seen2020-06-01
    modified2020-06-02
    plugin id43697
    published2010-01-06
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/43697
    titleCentOS 5 : vim (CESA-2008:0580)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1733.NASL
    descriptionSeveral vulnerabilities have been found in vim, an enhanced vi editor. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2008-2712 Jan Minar discovered that vim did not properly sanitise inputs before invoking the execute or system functions inside vim scripts. This could lead to the execution of arbitrary code. - CVE-2008-3074 Jan Minar discovered that the tar plugin of vim did not properly sanitise the filenames in the tar archive or the name of the archive file itself, making it prone to arbitrary code execution. - CVE-2008-3075 Jan Minar discovered that the zip plugin of vim did not properly sanitise the filenames in the zip archive or the name of the archive file itself, making it prone to arbitrary code execution. - CVE-2008-3076 Jan Minar discovered that the netrw plugin of vim did not properly sanitise the filenames or directory names it is given. This could lead to the execution of arbitrary code. - CVE-2008-4101 Ben Schmidt discovered that vim did not properly escape characters when performing keyword or tag lookups. This could lead to the execution of arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id35764
    published2009-03-04
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/35764
    titleDebian DSA-1733-1 : vim - several vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_1_GVIM-090225.NASL
    descriptionThe VI Improved editor (vim) was updated to version 7.2.108 to fix various security problems and other bugs. CVE-2008-4677: The netrw plugin sent credentials to all servers. CVE-2009-0316: The python support used a search path including the current directory, allowing code injection when python code was used. CVE-2008-2712: Arbitrary code execution in vim helper plugins filetype.vim, zipplugin, xpm.vim, gzip_vim, and netrw were fixed. CVE-2008-3074: tarplugin code injection CVE-2008-3075: zipplugin code injection CVE-2008-3076: several netrw bugs, code injection CVE-2008-6235: code injection in the netrw plugin CVE-2008-4677: credential disclosure by netrw plugin
    last seen2020-06-01
    modified2020-06-02
    plugin id40230
    published2009-07-21
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/40230
    titleopenSUSE Security Update : gvim (gvim-561)
  • NASL familyMisc.
    NASL idVMWARE_VMSA-2009-0004_REMOTE.NASL
    descriptionThe remote VMware ESX host is missing a security-related patch. It is, therefore, is affected by multiple vulnerabilities : - A format string flaw exists in the Vim help tag processor in the helptags_one() function that allows a remote attacker to execute arbitrary code by tricking a user into executing the
    last seen2020-06-01
    modified2020-06-02
    plugin id89112
    published2016-03-03
    reporterThis script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/89112
    titleVMware ESX Multiple Vulnerabilities (VMSA-2009-0004) (remote check)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2008-0617.NASL
    descriptionUpdated vim packages that fix various security issues are now available for Red Hat Enterprise Linux 3 and 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Vim (Visual editor IMproved) is an updated and improved version of the vi editor. Several input sanitization flaws were found in Vim
    last seen2020-06-01
    modified2020-06-02
    plugin id34954
    published2008-11-25
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/34954
    titleRHEL 3 / 4 : vim (RHSA-2008:0617)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2008-0580.NASL
    descriptionFrom Red Hat Security Advisory 2008:0580 : Updated vim packages that fix security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Vim (Visual editor IMproved) is an updated and improved version of the vi editor. Several input sanitization flaws were found in Vim
    last seen2020-06-01
    modified2020-06-02
    plugin id67722
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/67722
    titleOracle Linux 5 : vim (ELSA-2008-0580)

Oval

  • accepted2013-04-29T04:11:34.446-04:00
    classvulnerability
    contributors
    • nameAharon Chernin
      organizationSCAP.com, LLC
    • nameDragos Prisaca
      organizationG2, Inc.
    definition_extensions
    • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
      ovaloval:org.mitre.oval:def:11782
    • commentCentOS Linux 3.x
      ovaloval:org.mitre.oval:def:16651
    • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
      ovaloval:org.mitre.oval:def:11831
    • commentCentOS Linux 4.x
      ovaloval:org.mitre.oval:def:16636
    • commentOracle Linux 4.x
      ovaloval:org.mitre.oval:def:15990
    • commentThe operating system installed on the system is Red Hat Enterprise Linux 5
      ovaloval:org.mitre.oval:def:11414
    • commentThe operating system installed on the system is CentOS Linux 5.x
      ovaloval:org.mitre.oval:def:15802
    • commentOracle Linux 5.x
      ovaloval:org.mitre.oval:def:15459
    descriptionVim 7.1.314, 6.4, and other versions allows user-assisted remote attackers to execute arbitrary commands via Vim scripts that do not properly sanitize inputs before invoking the execute or system functions, as demonstrated using (1) filetype.vim, (3) xpm.vim, (4) gzip_vim, and (5) netrw. NOTE: the originally reported version was 7.1.314, but the researcher actually found this set of issues in 7.1.298. NOTE: the zipplugin issue (originally vector 2 in this identifier) has been subsumed by CVE-2008-3075.
    familyunix
    idoval:org.mitre.oval:def:11109
    statusaccepted
    submitted2010-07-09T03:56:16-04:00
    titleVim 7.1.314, 6.4, and other versions allows user-assisted remote attackers to execute arbitrary commands via Vim scripts that do not properly sanitize inputs before invoking the execute or system functions, as demonstrated using (1) filetype.vim, (3) xpm.vim, (4) gzip_vim, and (5) netrw. NOTE: the originally reported version was 7.1.314, but the researcher actually found this set of issues in 7.1.298. NOTE: the zipplugin issue (originally vector 2 in this identifier) has been subsumed by CVE-2008-3075.
    version27
  • accepted2009-11-30T04:00:26.010-05:00
    classvulnerability
    contributors
    • nameMichael Wood
      organizationHewlett-Packard
    • nameMichael Wood
      organizationHewlett-Packard
    definition_extensions
    • commentVMWare ESX Server 3.0.3 is installed
      ovaloval:org.mitre.oval:def:6026
    • commentVMWare ESX Server 3.0.2 is installed
      ovaloval:org.mitre.oval:def:5613
    • commentVMware ESX Server 3.5.0 is installed
      ovaloval:org.mitre.oval:def:5887
    descriptionVim 7.1.314, 6.4, and other versions allows user-assisted remote attackers to execute arbitrary commands via Vim scripts that do not properly sanitize inputs before invoking the execute or system functions, as demonstrated using (1) filetype.vim, (3) xpm.vim, (4) gzip_vim, and (5) netrw. NOTE: the originally reported version was 7.1.314, but the researcher actually found this set of issues in 7.1.298. NOTE: the zipplugin issue (originally vector 2 in this identifier) has been subsumed by CVE-2008-3075.
    familyunix
    idoval:org.mitre.oval:def:6238
    statusaccepted
    submitted2009-09-23T15:39:02.000-04:00
    titleVim Flaw in Quoting Vim Script Lets Remote Users Cause Arbitrary Commands to Be Executed in Certain Cases
    version3

Redhat

advisories
  • rhsa
    idRHSA-2008:0580
  • rhsa
    idRHSA-2008:0617
  • rhsa
    idRHSA-2008:0618
rpms
  • vim-X11-2:7.0.109-4.el5_2.4z
  • vim-common-2:7.0.109-4.el5_2.4z
  • vim-debuginfo-2:7.0.109-4.el5_2.4z
  • vim-enhanced-2:7.0.109-4.el5_2.4z
  • vim-minimal-2:7.0.109-4.el5_2.4z
  • vim-X11-1:6.3.046-0.30E.11
  • vim-X11-1:6.3.046-1.el4_7.5z
  • vim-common-1:6.3.046-0.30E.11
  • vim-common-1:6.3.046-1.el4_7.5z
  • vim-debuginfo-1:6.3.046-0.30E.11
  • vim-debuginfo-1:6.3.046-1.el4_7.5z
  • vim-enhanced-1:6.3.046-0.30E.11
  • vim-enhanced-1:6.3.046-1.el4_7.5z
  • vim-minimal-1:6.3.046-0.30E.11
  • vim-minimal-1:6.3.046-1.el4_7.5z
  • vim-X11-1:6.0-7.25
  • vim-common-1:6.0-7.25
  • vim-enhanced-1:6.0-7.25
  • vim-minimal-1:6.0-7.25

References