Main Vulnerability Database Vulnerabilities #VU30281

OS Command Injection in Vim - CVE-2019-20807

Published: May 28, 2020 / Updated: July 17, 2020

Vulnerability identifier: #VU30281

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2019-20807

CWE-ID: CWE-78

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Vim.org

Affected software:
Vim

Detailed vulnerability description

The vulnerability allows a local authenticated user to read and manipulate data.

In Vim before 8.1.0881, users can circumvent the rvim restricted mode and execute arbitrary OS commands via scripting interfaces (e.g., Python, Ruby, or Lua).

How to mitigate CVE-2019-20807

Install update from vendor's website.

Sources

http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00018.html
https://github.com/vim/vim/commit/8c62a08faf89663e5633dc5036cd8695c80f1075
https://github.com/vim/vim/releases/tag/v8.1.0881
https://support.apple.com/kb/HT211289

OS Command Injection in Vim - CVE-2019-20807

Detailed vulnerability description

How to mitigate CVE-2019-20807

Sources

Please verify you're human