Vulnerability Details : CVE-2008-2712
Vim 7.1.314, 6.4, and other versions allows user-assisted remote attackers to execute arbitrary commands via Vim scripts that do not properly sanitize inputs before invoking the execute or system functions, as demonstrated using (1) filetype.vim, (3) xpm.vim, (4) gzip_vim, and (5) netrw. NOTE: the originally reported version was 7.1.314, but the researcher actually found this set of issues in 7.1.298. NOTE: the zipplugin issue (originally vector 2 in this identifier) has been subsumed by CVE-2008-3075.
Vulnerability category: Input validation
Products affected by CVE-2008-2712
- cpe:2.3:o:canonical:ubuntu_linux:6.06:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:7.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:8.10:*:*:*:*:*:*:*
- cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*
- cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2008-2712
1.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 85 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2008-2712
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.3
|
HIGH | AV:N/AC:M/Au:N/C:C/I:C/A:C |
8.6
|
10.0
|
NIST |
CWE ids for CVE-2008-2712
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2008-2712
-
http://wiki.rpath.com/Advisories:rPSA-2008-0247
Third Party Advisory
-
http://www.rdancer.org/vulnerablevim.html
Broken Link
-
http://www.openwall.com/lists/oss-security/2008/06/16/2
oss-security - CVE Id request: vimMailing List;Third Party Advisory
-
http://securityreason.com/securityalert/3951
Collection of Vulnerabilities in Fully Patched Vim 7.1 - CXSecurity.comThird Party Advisory
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11109
404 Not FoundThird Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00004.html
[security-announce] SUSE Security Summary Report: SUSE-SR:2009:007 - openSUSE Security Announce - openSUSE Mailing ListsThird Party Advisory
-
http://www.vupen.com/english/advisories/2009/0033
Site en constructionThird Party Advisory
-
http://www.securityfocus.com/archive/1/493352/100/0/threaded
Third Party Advisory;VDB Entry
-
http://www.vupen.com/english/advisories/2009/0904
Site en constructionThird Party Advisory
-
http://www.securityfocus.com/bid/29715
Third Party Advisory;VDB Entry
-
http://www.openwall.com/lists/oss-security/2008/10/15/1
oss-security - Vim CVE issues cleanup (plugins tar.vim, zip.vim) - CVE-2008-3074 and CVE-2008-3075Mailing List;Third Party Advisory
-
http://www.vupen.com/english/advisories/2008/1851/references
Site en constructionThird Party Advisory
-
http://www.securityfocus.com/archive/1/502322/100/0/threaded
Third Party Advisory;VDB Entry
-
http://www.redhat.com/support/errata/RHSA-2008-0618.html
SupportThird Party Advisory
-
http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html
Mailing List;Third Party Advisory
-
http://support.avaya.com/elmodocs2/security/ASA-2009-001.htm
ASA-2009-001 (RHSA-2008-0617)Third Party Advisory
-
http://www.redhat.com/support/errata/RHSA-2008-0580.html
SupportThird Party Advisory
-
http://www.securitytracker.com/id?1020293
Access DeniedThird Party Advisory;VDB Entry
-
http://support.avaya.com/elmodocs2/security/ASA-2008-457.htm
ASA-2008-457 (RHSA-2008-0618)Third Party Advisory
-
http://support.apple.com/kb/HT4077
About the security content of Security Update 2010-002 / Mac OS X v10.6.3 - Apple SupportThird Party Advisory
-
http://www.ubuntu.com/usn/USN-712-1
USN-712-1: Vim vulnerabilities | Ubuntu security notices | UbuntuThird Party Advisory
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6238
404 Not FoundThird Party Advisory
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/43083
Vim multiple scripts command execution CVE-2008-2712 Vulnerability ReportThird Party Advisory;VDB Entry
-
http://www.redhat.com/support/errata/RHSA-2008-0617.html
SupportThird Party Advisory
-
http://www.securityfocus.com/archive/1/493353/100/0/threaded
Third Party Advisory;VDB Entry
-
http://marc.info/?l=bugtraq&m=121494431426308&w=2
'Re: Collection of Vulnerabilities in Fully Patched Vim 7.1' - MARCMailing List;Third Party Advisory
-
http://www.mandriva.com/security/advisories?name=MDVSA-2008:236
MandrivaThird Party Advisory
-
http://www.vupen.com/english/advisories/2008/2780
Webmail: access your OVH emails on ovhcloud.com | OVHcloudThird Party Advisory
-
http://www.securityfocus.com/archive/1/495319/100/0/threaded
Third Party Advisory;VDB Entry
-
http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
Apple - Lists.apple.comMailing List;Third Party Advisory
-
https://issues.rpath.com/browse/RPL-2622
Broken Link
-
http://support.apple.com/kb/HT3216
About Security Update 2008-007 - Apple SupportThird Party Advisory
-
http://www.securityfocus.com/bid/31681
Third Party Advisory;VDB Entry
-
http://www.vmware.com/security/advisories/VMSA-2009-0004.html
Support Content Notification - Support Portal - Broadcom support portalThird Party Advisory
Jump to