Improper Input Validation Affecting vim package, versions <1:7.1.314-3


Severity

Recommended
low

Based on Debian security rating.

Threat Intelligence

EPSS
1.09% (85th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Improper Input Validation vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-DEBIAN12-VIM-1562172
  • published16 Jun 2008
  • disclosed16 Jun 2008

Introduced: 16 Jun 2008

CVE-2008-2712  (opens in a new tab)
CWE-20  (opens in a new tab)

How to fix?

Upgrade Debian:12 vim to version 1:7.1.314-3 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream vim package and not the vim package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Vim 7.1.314, 6.4, and other versions allows user-assisted remote attackers to execute arbitrary commands via Vim scripts that do not properly sanitize inputs before invoking the execute or system functions, as demonstrated using (1) filetype.vim, (3) xpm.vim, (4) gzip_vim, and (5) netrw. NOTE: the originally reported version was 7.1.314, but the researcher actually found this set of issues in 7.1.298. NOTE: the zipplugin issue (originally vector 2 in this identifier) has been subsumed by CVE-2008-3075.

References

CVSS Scores

version 3.1