Vulnerability Details : CVE-2008-3294
src/configure.in in Vim 5.0 through 7.1, when used for a build with Python support, does not ensure that the Makefile-conf temporary file has the intended ownership and permissions, which allows local users to execute arbitrary code by modifying this file during a time window, or by creating it ahead of time with permissions that prevent its modification by configure.
Vulnerability category: Execute code
Products affected by CVE-2008-3294
- cpe:2.3:a:vim:vim:7.1:*:*:*:*:*:*:*
- cpe:2.3:a:vim:vim:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:vim:vim:6.3:*:*:*:*:*:*:*
- cpe:2.3:a:vim:vim:6.2:*:*:*:*:*:*:*
- cpe:2.3:a:vim:vim:5.4:*:*:*:*:*:*:*
- cpe:2.3:a:vim:vim:5.3:*:*:*:*:*:*:*
- cpe:2.3:a:vim:vim:5.8:*:*:*:*:*:*:*
- cpe:2.3:a:vim:vim:5.7:*:*:*:*:*:*:*
- cpe:2.3:a:vim:vim:5.0:*:*:*:*:*:*:*
- cpe:2.3:a:vim:vim:6.4:*:*:*:*:*:*:*
- cpe:2.3:a:vim:vim:5.6:*:*:*:*:*:*:*
- cpe:2.3:a:vim:vim:5.5:*:*:*:*:*:*:*
- cpe:2.3:a:vim:vim:6.1:*:*:*:*:*:*:*
- cpe:2.3:a:vim:vim:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:vim:vim:5.2:*:*:*:*:*:*:*
- cpe:2.3:a:vim:vim:5.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2008-3294
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 6 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2008-3294
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.7
|
LOW | AV:L/AC:H/Au:N/C:P/I:P/A:P |
1.9
|
6.4
|
NIST |
CWE ids for CVE-2008-3294
-
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.Assigned by: nvd@nist.gov (Primary)
Vendor statements for CVE-2008-3294
-
Red Hat 2008-07-25This issue can only be exploited during the package build and it does not affect users of pre-built packages distributed with Red Hat Enterprise Linux. Therefore, we do not plan to backport a fix for this issue to already released version of Red Hat Enterprise Linux 2.1, 3, 4, and 5.
References for CVE-2008-3294
-
http://www.vupen.com/english/advisories/2008/2146/references
Vendor Advisory
-
http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html
-
http://seclists.org/fulldisclosure/2008/Jul/0312.html
-
http://www.vupen.com/english/advisories/2008/2780
Webmail: access your OVH emails on ovhcloud.com | OVHcloudVendor Advisory
-
http://support.apple.com/kb/HT3216
About Security Update 2008-007 - Apple Support
-
http://www.securityfocus.com/archive/1/494532/100/0/threaded
-
http://www.securityfocus.com/archive/1/494535/100/0/threaded
-
http://www.securityfocus.com/bid/31681
-
http://www.securityfocus.com/archive/1/494736/100/0/threaded
Jump to