#VU30281 OS Command Injection


Published: 2020-05-28 | Updated: 2020-07-17

Vulnerability identifier: #VU30281

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2019-20807

CWE-ID: CWE-78

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Vim
Client/Desktop applications / Office applications

Vendor: Vim.org

Description

The vulnerability allows a local authenticated user to read and manipulate data.

In Vim before 8.1.0881, users can circumvent the rvim restricted mode and execute arbitrary OS commands via scripting interfaces (e.g., Python, Ruby, or Lua).

Mitigation
Install update from vendor's website.

Vulnerable software versions

Vim: 8.1.0000 - 8.1.0880


CPE

External links
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00018.html
http://github.com/vim/vim/commit/8c62a08faf89663e5633dc5036cd8695c80f1075
http://github.com/vim/vim/releases/tag/v8.1.0881
http://support.apple.com/kb/HT211289


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability