CVE-2019-12735 : getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers

getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim.

Published 2019-06-05 14:29:11

Updated 2019-06-13 21:29:16

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2019-12735

VIM » VIM
Versions before (<) 8.1.1365
cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*
Matching versions
Neovim » Neovim
Versions before (<) 0.3.6
cpe:2.3:a:neovim:neovim:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2019-12735

EPSS FAQ

3.25%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 91 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2019-12735

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
9.3	HIGH	AV:N/AC:M/Au:N/C:C/I:C/A:C	8.6	10.0	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
8.6	HIGH	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H	1.8	6.0	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2019-12735

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2019-12735

https://security.gentoo.org/glsa/202003-04

Vim, gVim: Remote execution of arbitrary code (GLSA 202003-04) — Gentoo security
https://bugs.debian.org/930020

#930020 - vim: CVE-2019-12735: Modelines allow arbitrary code execution - Debian Bug report logs
Mailing List;Third Party Advisory
https://bugs.debian.org/930024

#930024 - neovim: CVE-2019-12735: Modelines allow arbitrary code execution - Debian Bug report logs
Mailing List;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TRIRBC2YRGKPAWVRMZS4SZTGGCVRVZPR/

[SECURITY] Fedora 29 Update: vim-8.1.1471-1.fc29 - package-announce - Fedora Mailing-Lists
https://access.redhat.com/errata/RHSA-2019:1947

RHSA-2019:1947 - Security Advisory - Red Hat Customer Portal
https://seclists.org/bugtraq/2019/Jul/39

Bugtraq: [SECURITY] [DSA 4487-1] neovim security update
https://support.f5.com/csp/article/K93144355?utm_source=f5support&utm_medium=RSS
https://usn.ubuntu.com/4016-1/

USN-4016-1: Vim vulnerabilities | Ubuntu security notices

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:1774

RHSA-2019:1774 - Security Advisory - Red Hat Customer Portal
https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md

security/2019-06-04_ace-vim-neovim.md at master · numirias/security · GitHub
Exploit;Patch;Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1793

RHSA-2019:1793 - Security Advisory - Red Hat Customer Portal
https://github.com/vim/vim/commit/53575521406739cf20bbe4e384d88e7dca11f040

patch 8.1.1365: source command doesn't check for the sandbox · vim/vim@5357552 · GitHub
Patch;Third Party Advisory
https://support.f5.com/csp/article/K93144355
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00034.html

[security-announce] openSUSE-SU-2019:1759-1: important: Security update
http://www.securityfocus.com/bid/108724

Vim and Neovim CVE-2019-12735 Arbitrary Code Execution Vulnerability
https://seclists.org/bugtraq/2019/Jun/33

Bugtraq: [SECURITY] [DSA 4467-2] vim regression update
https://www.debian.org/security/2019/dsa-4467

Debian -- Security Information -- DSA-4467-1 vim
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00050.html

[security-announce] openSUSE-SU-2019:1796-1: important: Security update
https://github.com/neovim/neovim/pull/10082

vim-patch:8.1.1365: :source should check sandbox by justinmk · Pull Request #10082 · neovim/neovim · GitHub
Patch;Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00031.html

[security-announce] openSUSE-SU-2019:1551-1: important: Security update
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2BMDSHTF754TITC6AQJPCS5IRIDMMIM7/

[SECURITY] Fedora 30 Update: vim-8.1.1471-1.fc30 - package-announce - Fedora Mailing-Lists
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00037.html

[security-announce] openSUSE-SU-2019:1561-1: important: Security update
https://usn.ubuntu.com/4016-2/

USN-4016-2: Neovim vulnerability | Ubuntu security notices
https://access.redhat.com/errata/RHSA-2019:1619

RHSA-2019:1619 - Security Advisory - Red Hat Customer Portal
https://www.debian.org/security/2019/dsa-4487

Debian -- Security Information -- DSA-4487-1 neovim
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00075.html

[security-announce] openSUSE-SU-2019:1997-1: important: Security update
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00036.html

[security-announce] openSUSE-SU-2019:1562-1: important: Security update
https://lists.debian.org/debian-lts-announce/2019/08/msg00003.html

[SECURITY] [DLA 1871-1] vim security update

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2019-12735

Products affected by CVE-2019-12735

Exploit prediction scoring system (EPSS) score for CVE-2019-12735

CVSS scores for CVE-2019-12735

CWE ids for CVE-2019-12735

References for CVE-2019-12735