Multiple vulnerabilities in Vim



Published: 2022-05-11 | Updated: 2022-05-20
Risk High
Patch available YES
Number of vulnerabilities 13
CVE-ID CVE-2021-3875
CVE-2021-3796
CVE-2021-3778
CVE-2021-3770
CVE-2021-3903
CVE-2021-3872
CVE-2021-3974
CVE-2021-3927
CVE-2021-3928
CVE-2021-3973
CVE-2021-3984
CVE-2021-4019
CVE-2021-3968
CWE-ID CWE-122
CWE-416
CWE-787
CWE-457
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Vim
Client/Desktop applications / Office applications

Vendor

Security Bulletin

This security bulletin contains information about 13 vulnerabilities.

1) Heap-based buffer overflow

EUVDB-ID: #VU63066

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-3875

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Vim: before 8.2.3489


CPE2.3 External links

http://huntr.dev/bounties/5cdbc168-6ba1-4bc2-ba6c-28be12166a53
http://github.com/vim/vim/commit/35a319b77f897744eec1155b736e9372c9c5575f
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S42L4Z4DTW4LHLQ4FJ33VEOXRCBE7WN4/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7K4JJBIH3OQSZRVTWKCJCDLGMFGQ5DOH/
http://www.openwall.com/lists/oss-security/2022/01/15/1

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Use-after-free

EUVDB-ID: #VU63065

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-3796

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a use-after-free error. A remote attacker can trick the victim to open a specially crafted file, trigger a use-after-free error and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Vim: before 8.2.3428


CPE2.3 External links

http://github.com/vim/vim/commit/35a9a00afcb20897d462a766793ff45534810dc3
http://huntr.dev/bounties/ab60b7f3-6fb1-4ac2-a4fa-4d592e08008d
http://www.openwall.com/lists/oss-security/2021/10/01/1
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TE62UMYBZE4AE53K6OBBWK32XQ7544QM/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S42L4Z4DTW4LHLQ4FJ33VEOXRCBE7WN4/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7K4JJBIH3OQSZRVTWKCJCDLGMFGQ5DOH/
http://lists.debian.org/debian-lts-announce/2022/01/msg00003.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) Heap-based buffer overflow

EUVDB-ID: #VU63063

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-3778

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Vim: before 8.2.3409


CPE2.3 External links

http://github.com/vim/vim/commit/65b605665997fad54ef39a93199e305af2fe4d7f
http://huntr.dev/bounties/d9c17308-2c99-4f9f-a706-f7f72c24c273
http://www.openwall.com/lists/oss-security/2021/10/01/1
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TE62UMYBZE4AE53K6OBBWK32XQ7544QM/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S42L4Z4DTW4LHLQ4FJ33VEOXRCBE7WN4/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7K4JJBIH3OQSZRVTWKCJCDLGMFGQ5DOH/
http://lists.debian.org/debian-lts-announce/2022/01/msg00003.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

4) Out-of-bounds write

EUVDB-ID: #VU63062

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-3770

CWE-ID: CWE-787 - Out-of-bounds Write

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Vim: before 8.2.3402


CPE2.3 External links

http://github.com/vim/vim/commit/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9
http://huntr.dev/bounties/016ad2f2-07c1-4d14-a8ce-6eed10729365
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J2CJLY3CF55I2ULG2X4ENXLSXAXYW5J4/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X4FFQARG3LGREPDZRI4C7ERQL3RJKEWQ/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZFNTMVZCN4TRTTCAXRLVQ7H2P7FYAIZQ/
http://www.openwall.com/lists/oss-security/2021/10/01/1

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

5) Heap-based buffer overflow

EUVDB-ID: #VU63060

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-3903

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Vim: before 8.2.3564


CPE2.3 External links

http://github.com/vim/vim/commit/777e7c21b7627be80961848ac560cb0a9978ff43
http://huntr.dev/bounties/35738a4f-55ce-446c-b836-2fb0b39625f8
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BN4EX7BPQU7RP6PXCNCSDORUZBXQ4JUH/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DU26T75PYA3OF7XJGNKMT2ZCQEU4UKP5/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNXY7T5OORA7UJIMGSJBGHFMU6UZWS6P/
http://www.openwall.com/lists/oss-security/2022/01/15/1

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

6) Heap-based buffer overflow

EUVDB-ID: #VU63059

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-3872

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Vim: before 8.2.3487


CPE2.3 External links

http://github.com/vim/vim/commit/826bfe4bbd7594188e3d74d2539d9707b1c6a14b
http://huntr.dev/bounties/c958013b-1c09-4939-92ca-92f50aa169e8
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S42L4Z4DTW4LHLQ4FJ33VEOXRCBE7WN4/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7K4JJBIH3OQSZRVTWKCJCDLGMFGQ5DOH/
http://lists.debian.org/debian-lts-announce/2022/03/msg00018.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

7) Use-after-free

EUVDB-ID: #VU63058

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-3974

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a use-after-free error. A remote attacker can trick the victim to open a specially crafted file, trigger a use-after-free error and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Vim: before 8.2.3612


CPE2.3 External links

http://github.com/vim/vim/commit/64066b9acd9f8cffdf4840f797748f938a13f2d6
http://huntr.dev/bounties/e402cb2c-8ec4-4828-a692-c95f8e0de6d4
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IH2LS2DXBTYOCWGAKFMBF3HTWWXPBEFL/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNXY7T5OORA7UJIMGSJBGHFMU6UZWS6P/
http://www.openwall.com/lists/oss-security/2022/01/15/1
http://lists.debian.org/debian-lts-announce/2022/03/msg00018.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

8) Heap-based buffer overflow

EUVDB-ID: #VU63057

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-3927

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Vim: before 8.2.3581


CPE2.3 External links

http://huntr.dev/bounties/9c2b2c82-48bb-4be9-ab8f-a48ea252d1b0
http://github.com/vim/vim/commit/0b5b06cb4777d1401fdf83e7d48d287662236e7e
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PGW56Z6IN4UVM3E5RXXF4G7LGGTRBI5C/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BCQWPEY2AEYBELCMJYHYWYCD3PZVD2H7/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNXY7T5OORA7UJIMGSJBGHFMU6UZWS6P/
http://www.openwall.com/lists/oss-security/2022/01/15/1
http://lists.debian.org/debian-lts-announce/2022/03/msg00018.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

9) Use of Uninitialized Variable

EUVDB-ID: #VU63052

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-3928

CWE-ID: CWE-457 - Use of Uninitialized Variable

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to parsing uninitialized variable. A remote attacker can trick a victim to open a specially crafted file and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Vim: before 8.2.3582


CPE2.3 External links

http://huntr.dev/bounties/29c3ebd2-d601-481c-bf96-76975369d0cd
http://github.com/vim/vim/commit/15d9890eee53afc61eb0a03b878a19cb5672f732
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PGW56Z6IN4UVM3E5RXXF4G7LGGTRBI5C/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BCQWPEY2AEYBELCMJYHYWYCD3PZVD2H7/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNXY7T5OORA7UJIMGSJBGHFMU6UZWS6P/
http://www.openwall.com/lists/oss-security/2022/01/15/1
http://lists.debian.org/debian-lts-announce/2022/03/msg00018.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

10) Heap-based buffer overflow

EUVDB-ID: #VU63051

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-3973

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Vim: before 8.2.3611


CPE2.3 External links

http://github.com/vim/vim/commit/615ddd5342b50a6878a907062aa471740bd9a847
http://huntr.dev/bounties/ce6e8609-77c6-4e17-b9fc-a2e5abed052e
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IH2LS2DXBTYOCWGAKFMBF3HTWWXPBEFL/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNXY7T5OORA7UJIMGSJBGHFMU6UZWS6P/
http://www.openwall.com/lists/oss-security/2022/01/15/1
http://lists.debian.org/debian-lts-announce/2022/03/msg00018.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

11) Heap-based buffer overflow

EUVDB-ID: #VU63049

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-3984

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Vim: before 8.2.3625


CPE2.3 External links

http://github.com/vim/vim/commit/2de9b7c7c8791da8853a9a7ca9c467867465b655
http://huntr.dev/bounties/b114b5a2-18e2-49f0-b350-15994d71426a
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNXY7T5OORA7UJIMGSJBGHFMU6UZWS6P/
http://www.openwall.com/lists/oss-security/2022/01/15/1
http://lists.debian.org/debian-lts-announce/2022/03/msg00018.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

12) Out-of-bounds write

EUVDB-ID: #VU63048

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-4019

CWE-ID: CWE-787 - Out-of-bounds Write

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Vim: before 8.2.3669


CPE2.3 External links

http://github.com/vim/vim/commit/bd228fd097b41a798f90944b5d1245eddd484142
http://huntr.dev/bounties/d8798584-a6c9-4619-b18f-001b9a6fca92
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DRPAI5JVZLI7WHWSBR6NWAPBQAYUQREW/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNXY7T5OORA7UJIMGSJBGHFMU6UZWS6P/
http://www.openwall.com/lists/oss-security/2022/01/15/1
http://lists.debian.org/debian-lts-announce/2022/03/msg00018.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

13) Heap-based buffer overflow

EUVDB-ID: #VU63047

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-3968

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Vim: before 8.2.3610


CPE2.3 External links

http://huntr.dev/bounties/00d62924-a7b4-4a61-ba29-acab2eaa1528
http://github.com/vim/vim/commit/a062006b9de0b2947ab5fb376c6e67ef92a8cd69
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IH2LS2DXBTYOCWGAKFMBF3HTWWXPBEFL/
http://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNXY7T5OORA7UJIMGSJBGHFMU6UZWS6P/
http://www.openwall.com/lists/oss-security/2022/01/15/1

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###