{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-03-12T22:06:09", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/vim/vim/commit/53575521406739cf20bbe4e384d88e7dca11f040"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/neovim/neovim/pull/10082"}, {"tags": ["x_refsource_MISC"], "url": "https://bugs.debian.org/930020"}, {"tags": ["x_refsource_MISC"], "url": "https://bugs.debian.org/930024"}, {"name": "FEDORA-2019-d79f89346c", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2BMDSHTF754TITC6AQJPCS5IRIDMMIM7/"}, {"name": "USN-4016-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4016-1/"}, {"name": "USN-4016-2", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4016-2/"}, {"name": "108724", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/108724"}, {"name": "FEDORA-2019-dcd49378b8", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TRIRBC2YRGKPAWVRMZS4SZTGGCVRVZPR/"}, {"name": "openSUSE-SU-2019:1551", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00031.html"}, {"name": "openSUSE-SU-2019:1562", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00036.html"}, {"name": "openSUSE-SU-2019:1561", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00037.html"}, {"name": "DSA-4467", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2019/dsa-4467"}, {"name": "20190624 [SECURITY] [DSA 4467-2] vim regression update", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "https://seclists.org/bugtraq/2019/Jun/33"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://support.f5.com/csp/article/K93144355"}, {"name": "RHSA-2019:1619", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:1619"}, {"name": "RHSA-2019:1774", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:1774"}, {"name": "RHSA-2019:1793", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:1793"}, {"name": "openSUSE-SU-2019:1759", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00034.html"}, {"name": "openSUSE-SU-2019:1796", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00050.html"}, {"name": "DSA-4487", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2019/dsa-4487"}, {"name": "20190724 [SECURITY] [DSA 4487-1] neovim security update", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "https://seclists.org/bugtraq/2019/Jul/39"}, {"name": "RHSA-2019:1947", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:1947"}, {"name": "[debian-lts-announce] 20190803 [SECURITY] [DLA 1871-1] vim security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00003.html"}, {"name": "openSUSE-SU-2019:1997", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00075.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://support.f5.com/csp/article/K93144355?utm_source=f5support&amp%3Butm_medium=RSS"}, {"name": "GLSA-202003-04", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202003-04"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-12735", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md", "refsource": "MISC", "url": "https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md"}, {"name": "https://github.com/vim/vim/commit/53575521406739cf20bbe4e384d88e7dca11f040", "refsource": "MISC", "url": "https://github.com/vim/vim/commit/53575521406739cf20bbe4e384d88e7dca11f040"}, {"name": "https://github.com/neovim/neovim/pull/10082", "refsource": "MISC", "url": "https://github.com/neovim/neovim/pull/10082"}, {"name": "https://bugs.debian.org/930020", "refsource": "MISC", "url": "https://bugs.debian.org/930020"}, {"name": "https://bugs.debian.org/930024", "refsource": "MISC", "url": "https://bugs.debian.org/930024"}, {"name": "FEDORA-2019-d79f89346c", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2BMDSHTF754TITC6AQJPCS5IRIDMMIM7/"}, {"name": "USN-4016-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4016-1/"}, {"name": "USN-4016-2", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4016-2/"}, {"name": "108724", "refsource": "BID", "url": "http://www.securityfocus.com/bid/108724"}, {"name": "FEDORA-2019-dcd49378b8", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TRIRBC2YRGKPAWVRMZS4SZTGGCVRVZPR/"}, {"name": "openSUSE-SU-2019:1551", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00031.html"}, {"name": "openSUSE-SU-2019:1562", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00036.html"}, {"name": "openSUSE-SU-2019:1561", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00037.html"}, {"name": "DSA-4467", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2019/dsa-4467"}, {"name": "20190624 [SECURITY] [DSA 4467-2] vim regression update", "refsource": "BUGTRAQ", "url": "https://seclists.org/bugtraq/2019/Jun/33"}, {"name": "https://support.f5.com/csp/article/K93144355", "refsource": "CONFIRM", "url": "https://support.f5.com/csp/article/K93144355"}, {"name": "RHSA-2019:1619", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:1619"}, {"name": "RHSA-2019:1774", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:1774"}, {"name": "RHSA-2019:1793", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:1793"}, {"name": "openSUSE-SU-2019:1759", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00034.html"}, {"name": "openSUSE-SU-2019:1796", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00050.html"}, {"name": "DSA-4487", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2019/dsa-4487"}, {"name": "20190724 [SECURITY] [DSA 4487-1] neovim security update", "refsource": "BUGTRAQ", "url": "https://seclists.org/bugtraq/2019/Jul/39"}, {"name": "RHSA-2019:1947", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:1947"}, {"name": "[debian-lts-announce] 20190803 [SECURITY] [DLA 1871-1] vim security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00003.html"}, {"name": "openSUSE-SU-2019:1997", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00075.html"}, {"name": "https://support.f5.com/csp/article/K93144355?utm_source=f5support&utm_medium=RSS", "refsource": "CONFIRM", "url": "https://support.f5.com/csp/article/K93144355?utm_source=f5support&utm_medium=RSS"}, {"name": "GLSA-202003-04", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202003-04"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T23:32:54.206Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/vim/vim/commit/53575521406739cf20bbe4e384d88e7dca11f040"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/neovim/neovim/pull/10082"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugs.debian.org/930020"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugs.debian.org/930024"}, {"name": "FEDORA-2019-d79f89346c", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2BMDSHTF754TITC6AQJPCS5IRIDMMIM7/"}, {"name": "USN-4016-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/4016-1/"}, {"name": "USN-4016-2", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/4016-2/"}, {"name": "108724", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/108724"}, {"name": "FEDORA-2019-dcd49378b8", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TRIRBC2YRGKPAWVRMZS4SZTGGCVRVZPR/"}, {"name": "openSUSE-SU-2019:1551", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00031.html"}, {"name": "openSUSE-SU-2019:1562", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00036.html"}, {"name": "openSUSE-SU-2019:1561", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00037.html"}, {"name": "DSA-4467", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2019/dsa-4467"}, {"name": "20190624 [SECURITY] [DSA 4467-2] vim regression update", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "https://seclists.org/bugtraq/2019/Jun/33"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://support.f5.com/csp/article/K93144355"}, {"name": "RHSA-2019:1619", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:1619"}, {"name": "RHSA-2019:1774", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:1774"}, {"name": "RHSA-2019:1793", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:1793"}, {"name": "openSUSE-SU-2019:1759", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00034.html"}, {"name": "openSUSE-SU-2019:1796", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00050.html"}, {"name": "DSA-4487", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2019/dsa-4487"}, {"name": "20190724 [SECURITY] [DSA 4487-1] neovim security update", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "https://seclists.org/bugtraq/2019/Jul/39"}, {"name": "RHSA-2019:1947", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:1947"}, {"name": "[debian-lts-announce] 20190803 [SECURITY] [DLA 1871-1] vim security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00003.html"}, {"name": "openSUSE-SU-2019:1997", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00075.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://support.f5.com/csp/article/K93144355?utm_source=f5support&amp%3Butm_medium=RSS"}, {"name": "GLSA-202003-04", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202003-04"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-12735", "datePublished": "2019-06-05T13:07:48", "dateReserved": "2019-06-05T00:00:00", "dateUpdated": "2024-08-04T23:32:54.206Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*", "matchCriteriaId": "E64CDC4D-44E0-41D9-B0FF-EBE09F8FE096", "versionEndExcluding": "8.1.1365", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:neovim:neovim:*:*:*:*:*:*:*:*", "matchCriteriaId": "E3E1B71E-EB89-4AA5-8635-88ADDFD41830", "versionEndExcluding": "0.3.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim."}, {"lang": "es", "value": "El archivo getchar.c en Vim anterior a versi\u00f3n 8.1.1365 y Neovim anterior a versi\u00f3n 0.3.6 permite a los atacantes remotos ejecutar comandos arbitrarios del sistema operativo por medio de: comando source! en el componente modeline, como es demostrado por la ejecuci\u00f3n en Vim, y assert_fails o nvim_input en Neovim."}], "id": "CVE-2019-12735", "lastModified": "2023-11-07T03:03:40.000", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-06-05T14:29:11.387", "references": [{"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00031.html"}, {"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00036.html"}, {"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00037.html"}, {"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00034.html"}, {"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00050.html"}, {"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00075.html"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/108724"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2019:1619"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2019:1774"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2019:1793"}, {"source": "cve@mitre.org", "url": "https://access.redhat.com/errata/RHSA-2019:1947"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://bugs.debian.org/930020"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://bugs.debian.org/930024"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/neovim/neovim/pull/10082"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/vim/vim/commit/53575521406739cf20bbe4e384d88e7dca11f040"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00003.html"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2BMDSHTF754TITC6AQJPCS5IRIDMMIM7/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TRIRBC2YRGKPAWVRMZS4SZTGGCVRVZPR/"}, {"source": "cve@mitre.org", "url": "https://seclists.org/bugtraq/2019/Jul/39"}, {"source": "cve@mitre.org", "url": "https://seclists.org/bugtraq/2019/Jun/33"}, {"source": "cve@mitre.org", "url": "https://security.gentoo.org/glsa/202003-04"}, {"source": "cve@mitre.org", "url": "https://support.f5.com/csp/article/K93144355"}, {"source": "cve@mitre.org", "url": "https://support.f5.com/csp/article/K93144355?utm_source=f5support&amp%3Butm_medium=RSS"}, {"source": "cve@mitre.org", "url": "https://usn.ubuntu.com/4016-1/"}, {"source": "cve@mitre.org", "url": "https://usn.ubuntu.com/4016-2/"}, {"source": "cve@mitre.org", "url": "https://www.debian.org/security/2019/dsa-4467"}, {"source": "cve@mitre.org", "url": "https://www.debian.org/security/2019/dsa-4487"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2019:1774", "cpe": "cpe:/o:redhat:enterprise_linux:6", "package": "vim-2:7.4.629-5.el6_10.2", "product_name": "Red Hat Enterprise Linux 6", "release_date": "2019-07-15T00:00:00Z"}, {"advisory": "RHSA-2019:1619", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "vim-2:7.4.160-6.el7_6", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2019-06-27T00:00:00Z"}, {"advisory": "RHSA-2019:1947", "cpe": "cpe:/o:redhat:rhel_eus:7.4", "package": "vim-2:7.4.160-2.el7_4.1", "product_name": "Red Hat Enterprise Linux 7.4 Extended Update Support", "release_date": "2019-07-30T00:00:00Z"}, {"advisory": "RHSA-2019:1793", "cpe": "cpe:/o:redhat:rhel_eus:7.5", "package": "vim-2:7.4.160-4.el7_5.1", "product_name": "Red Hat Enterprise Linux 7.5 Extended Update Support", "release_date": "2019-07-16T00:00:00Z"}, {"advisory": "RHSA-2019:1619", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "vim-2:8.0.1763-11.el8_0", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-06-27T00:00:00Z"}, {"advisory": "RHSA-2019:1619", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "vim-2:8.0.1763-11.el8_0", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-06-27T00:00:00Z"}], "bugzilla": {"description": "vim/neovim: ': source!' command allows arbitrary command execution via modelines", "id": "1718308", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1718308"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "status": "verified"}, "cwe": "CWE-94", "details": ["getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim.", "It was found that the `:source!` command was not restricted by the sandbox mode. If modeline was explicitly enabled, opening a specially crafted text file in vim could result in arbitrary command execution."], "mitigation": {"lang": "en:us", "value": "The vulnerability can be triggered only if `modeline` is enabled. You can check whether `modeline` is enabled within vim via the command `:set modeline?`\nIt can be turned off explicitly by adding `set nomodeline` in a vimrc file."}, "name": "CVE-2019-12735", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Out of support scope", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 5"}], "public_date": "2019-06-05T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-12735\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-12735"], "statement": "To be successfully and automatically triggered when a specially crafted file is opened, this vulnerability requires 3 parts :\n1) The `source!` command inability to check if it is running in sandbox mode (the fix commit prevents this)\n2) The `modeline` to be enabled (by default, modeline is disabled when running with root permission. See `Mitigation` steps to disable the modeline)\n3) A function, to be inserted in the modeline, that can be used to trigger the `source!` command (e.g.: `assert_fail()` in the public reproducer). To the best of our knowledge, no such functions were found in the default installation of Red Hat Enterprise Linux versions 5, 6 and 7 at the time of the flaw. However, Red Hat Enterprise Linux version 8 contains `assert_fail()`.\nWithout part 2 or 3, it would be required for an attacker to be able to craft the command line used to open the crafted file, in order to trigger the vulnerability.", "threat_severity": "Important", "upstream_fix": "neovim 0.3.6, vim 8.1.1365"}