Main Vulnerability Database Vulnerabilities #VU30281

#VU30281 OS Command Injection in Vim - CVE-2019-20807

Published: May 28, 2020 / Updated: July 17, 2020

Vulnerability identifier: #VU30281

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2019-20807

CWE-ID: CWE-78

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
Vim

Software vendor:
Vim.org

Description

The vulnerability allows a local authenticated user to read and manipulate data.

In Vim before 8.1.0881, users can circumvent the rvim restricted mode and execute arbitrary OS commands via scripting interfaces (e.g., Python, Ruby, or Lua).

Remediation

Install update from vendor's website.

External links

http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00018.html
https://github.com/vim/vim/commit/8c62a08faf89663e5633dc5036cd8695c80f1075
https://github.com/vim/vim/releases/tag/v8.1.0881
https://support.apple.com/kb/HT211289

#VU30281 OS Command Injection in Vim - CVE-2019-20807

Description

Remediation

External links

Please verify you're human