Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 15 |
CVE-ID | CVE-2022-1725 CVE-2022-1771 CVE-2022-1886 CVE-2022-1897 CVE-2022-2000 CVE-2022-2042 CVE-2023-46246 CVE-2023-48231 CVE-2023-48232 CVE-2023-48233 CVE-2023-48234 CVE-2023-48235 CVE-2023-48236 CVE-2023-48237 CVE-2023-48706 |
CWE-ID | CWE-476 CWE-121 CWE-122 CWE-787 CWE-416 CWE-190 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
Ubuntu Operating systems & Components / Operating system vim-gtk (Ubuntu package) Operating systems & Components / Operating system package or component xxd (Ubuntu package) Operating systems & Components / Operating system package or component vim-tiny (Ubuntu package) Operating systems & Components / Operating system package or component vim-nox (Ubuntu package) Operating systems & Components / Operating system package or component vim-gtk3 (Ubuntu package) Operating systems & Components / Operating system package or component vim-athena (Ubuntu package) Operating systems & Components / Operating system package or component vim (Ubuntu package) Operating systems & Components / Operating system package or component |
Vendor | Canonical Ltd. |
Security Bulletin
This security bulletin contains information about 15 vulnerabilities.
EUVDB-ID: #VU66151
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-1725
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error. A remote attacker can trick the victim to open a specially crafted file and perform a denial of service (DoS) attack.
MitigationUpdate the affected package vim to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
vim-gtk (Ubuntu package): before Ubuntu Pro (Infra-only)
xxd (Ubuntu package): before Ubuntu Pro
vim-tiny (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-nox (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-gtk3 (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-athena (Ubuntu package): before Ubuntu Pro (Infra-only)
vim (Ubuntu package): before Ubuntu Pro (Infra-only)
External linkshttp://ubuntu.com/security/notices/USN-6557-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU63488
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-1771
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to a boundary error when providing certain input. A remote attacker can trigger stack-based buffer overflow and perform a denial of service attack.
MitigationUpdate the affected package vim to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
vim-gtk (Ubuntu package): before Ubuntu Pro (Infra-only)
xxd (Ubuntu package): before Ubuntu Pro
vim-tiny (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-nox (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-gtk3 (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-athena (Ubuntu package): before Ubuntu Pro (Infra-only)
vim (Ubuntu package): before Ubuntu Pro (Infra-only)
External linkshttp://ubuntu.com/security/notices/USN-6557-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU64722
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-1886
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in register.c. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package vim to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
vim-gtk (Ubuntu package): before Ubuntu Pro (Infra-only)
xxd (Ubuntu package): before Ubuntu Pro
vim-tiny (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-nox (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-gtk3 (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-athena (Ubuntu package): before Ubuntu Pro (Infra-only)
vim (Ubuntu package): before Ubuntu Pro (Infra-only)
External linkshttp://ubuntu.com/security/notices/USN-6557-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU64506
Risk: Low
CVSSv3.1: 6.1 [CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-1897
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to execute arbitrary code on the system.
The vulnerability exists due to Illegal memory access and leads to an out-of-bounds write vulnerability in the vim_regsub_both() function. A local attacker can trick the victim into opening a specially crafted file, leading to a system crash or code execution.
MitigationUpdate the affected package vim to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
vim-gtk (Ubuntu package): before Ubuntu Pro (Infra-only)
xxd (Ubuntu package): before Ubuntu Pro
vim-tiny (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-nox (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-gtk3 (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-athena (Ubuntu package): before Ubuntu Pro (Infra-only)
vim (Ubuntu package): before Ubuntu Pro (Infra-only)
External linkshttp://ubuntu.com/security/notices/USN-6557-1
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU64719
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-2000
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input in ex_docmd.c. A remote attacker can create a specially crafted file, trick the victim into opening it using the affected software, trigger out-of-bounds write and execute arbitrary code on the target system.
MitigationUpdate the affected package vim to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
vim-gtk (Ubuntu package): before Ubuntu Pro (Infra-only)
xxd (Ubuntu package): before Ubuntu Pro
vim-tiny (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-nox (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-gtk3 (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-athena (Ubuntu package): before Ubuntu Pro (Infra-only)
vim (Ubuntu package): before Ubuntu Pro (Infra-only)
External linkshttp://ubuntu.com/security/notices/USN-6557-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU64706
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-2042
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in spell.c. A remote attacker can trick the victim to open a specially crafted file, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate the affected package vim to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
vim-gtk (Ubuntu package): before Ubuntu Pro (Infra-only)
xxd (Ubuntu package): before Ubuntu Pro
vim-tiny (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-nox (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-gtk3 (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-athena (Ubuntu package): before Ubuntu Pro (Infra-only)
vim (Ubuntu package): before Ubuntu Pro (Infra-only)
External linkshttp://ubuntu.com/security/notices/USN-6557-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU83514
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-46246
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to crash the application.
The vulnerability exists due to integer overflow. A remote attacker can trick the victim to open a specially crafted file and perform a denial of service (DoS) attack.
Update the affected package vim to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
vim-gtk (Ubuntu package): before Ubuntu Pro (Infra-only)
xxd (Ubuntu package): before Ubuntu Pro
vim-tiny (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-nox (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-gtk3 (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-athena (Ubuntu package): before Ubuntu Pro (Infra-only)
vim (Ubuntu package): before Ubuntu Pro (Infra-only)
External linkshttp://ubuntu.com/security/notices/USN-6557-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU83392
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-48231
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error when closing the window. A remote attacker can trick the victim to open a specially crafted file and crash the application.
Update the affected package vim to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
vim-gtk (Ubuntu package): before Ubuntu Pro (Infra-only)
xxd (Ubuntu package): before Ubuntu Pro
vim-tiny (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-nox (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-gtk3 (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-athena (Ubuntu package): before Ubuntu Pro (Infra-only)
vim (Ubuntu package): before Ubuntu Pro (Infra-only)
External linkshttp://ubuntu.com/security/notices/USN-6557-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU83391
Risk: Low
CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-48232
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to integer overflow when calculating the line offset for overlong lines and smooth scrolling is enabled and the cpo-settings include the 'n' flag. A remote attacker can trick the victim to open a specially crafted file, trigger an integer overflow and crash the application. MitigationUpdate the affected package vim to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
vim-gtk (Ubuntu package): before Ubuntu Pro (Infra-only)
xxd (Ubuntu package): before Ubuntu Pro
vim-tiny (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-nox (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-gtk3 (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-athena (Ubuntu package): before Ubuntu Pro (Infra-only)
vim (Ubuntu package): before Ubuntu Pro (Infra-only)
External linkshttp://ubuntu.com/security/notices/USN-6557-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU83390
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-48233
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to integer overflow if the count after the :s command is larger than what fits into a (signed) long variable. A remote attacker can trick the victim to open a specially crafted file, trigger an integer overflow and crash the application. MitigationUpdate the affected package vim to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
vim-gtk (Ubuntu package): before Ubuntu Pro (Infra-only)
xxd (Ubuntu package): before Ubuntu Pro
vim-tiny (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-nox (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-gtk3 (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-athena (Ubuntu package): before Ubuntu Pro (Infra-only)
vim (Ubuntu package): before Ubuntu Pro (Infra-only)
External linkshttp://ubuntu.com/security/notices/USN-6557-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU83389
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-48234
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to integer overflow when using the z= command. A remote attacker can trick the victim to open a specially crafted file, trigger an integer overflow and crash the application. MitigationUpdate the affected package vim to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
vim-gtk (Ubuntu package): before Ubuntu Pro (Infra-only)
xxd (Ubuntu package): before Ubuntu Pro
vim-tiny (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-nox (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-gtk3 (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-athena (Ubuntu package): before Ubuntu Pro (Infra-only)
vim (Ubuntu package): before Ubuntu Pro (Infra-only)
External linkshttp://ubuntu.com/security/notices/USN-6557-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU83388
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-48235
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to integer overflow when parsing relative ex addresses. A remote attacker can trick the victim to open a specially crafted file, trigger an integer overflow and crash the application. MitigationUpdate the affected package vim to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
vim-gtk (Ubuntu package): before Ubuntu Pro (Infra-only)
xxd (Ubuntu package): before Ubuntu Pro
vim-tiny (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-nox (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-gtk3 (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-athena (Ubuntu package): before Ubuntu Pro (Infra-only)
vim (Ubuntu package): before Ubuntu Pro (Infra-only)
External linkshttp://ubuntu.com/security/notices/USN-6557-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU83387
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-48236
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to integer overflow when using the z= command. A remote attacker can trick the victim to open a specially crafted file, trigger an integer overflow and crash the application.
Update the affected package vim to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
vim-gtk (Ubuntu package): before Ubuntu Pro (Infra-only)
xxd (Ubuntu package): before Ubuntu Pro
vim-tiny (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-nox (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-gtk3 (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-athena (Ubuntu package): before Ubuntu Pro (Infra-only)
vim (Ubuntu package): before Ubuntu Pro (Infra-only)
External linkshttp://ubuntu.com/security/notices/USN-6557-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU83386
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-48237
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to integer overflow when shifting lines in operator pending mode. A remote attacker can trick the victim to open a specially crafted file, trigger an integer overflow and crash the application.
Update the affected package vim to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
vim-gtk (Ubuntu package): before Ubuntu Pro (Infra-only)
xxd (Ubuntu package): before Ubuntu Pro
vim-tiny (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-nox (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-gtk3 (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-athena (Ubuntu package): before Ubuntu Pro (Infra-only)
vim (Ubuntu package): before Ubuntu Pro (Infra-only)
External linkshttp://ubuntu.com/security/notices/USN-6557-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU83442
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-48706
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error within the ex_substitute() function in src/charset.c when executing the ":s" command. A remote attacker can trick the victim to open a specially crafted file, trigger a use-after-free error and crash the application.
Update the affected package vim to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 23.10
vim-gtk (Ubuntu package): before Ubuntu Pro (Infra-only)
xxd (Ubuntu package): before Ubuntu Pro
vim-tiny (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-nox (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-gtk3 (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-athena (Ubuntu package): before Ubuntu Pro (Infra-only)
vim (Ubuntu package): before Ubuntu Pro (Infra-only)
External linkshttp://ubuntu.com/security/notices/USN-6557-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.