CVE-2008-3076

critical

Description

The Netrw plugin 125 in netrw.vim in Vim 7.2a.10 allows user-assisted attackers to execute arbitrary code via shell metacharacters in filenames used by the execute and system functions within the (1) mz and (2) mc commands, as demonstrated by the netrw.v2 and netrw.v3 test cases. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2008-2712.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/43624

http://www.redhat.com/support/errata/RHSA-2008-0580.html

http://www.openwall.com/lists/oss-security/2008/10/20/2

http://www.openwall.com/lists/oss-security/2008/07/08/12

http://www.mandriva.com/security/advisories?name=MDVSA-2008:236

http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0324

http://secunia.com/advisories/34418

http://marc.info/?l=bugtraq&m=121494431426308&w=2

http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00004.html

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=506919

Details

Source: Mitre, NVD

Published: 2009-02-21

Updated: 2017-08-08

Risk Information

CVSS v2

Base Score: 9.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical