CVE-2016-1248

EPSS 23.18%
Published 23.11.2016 15:59:00
Last modified 12.04.2025 10:46:40
Source security@debian.org
Teams watchlist Login
Open Login

vim before patch 8.0.0056 does not properly validate values for the 'filetype', 'syntax' and 'keymap' options, which may result in the execution of arbitrary code if a file with a specially crafted modeline is opened.

Affected products Warnungen 0 Metrics 3 CWE 1 References 16

Data is provided by the National Vulnerability Database (NVD)

Vim ≫ Vim Version <= 8.0.0055

Debian ≫ Debian Linux Version8.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	23.18%	0.954

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://openwall.com/lists/oss-security/2016/11/22/20

Patch

Third Party Advisory

http://rhn.redhat.com/errata/RHSA-2016-2972.html

http://www.debian.org/security/2016/dsa-3722

http://www.securityfocus.com/bid/94478

http://www.securitytracker.com/id/1037338

http://www.ubuntu.com/usn/USN-3139-1

https://anonscm.debian.org/cgit/pkg-vim/vim.git/tree/debian/changelog

Patch

Third Party Advisory

https://github.com/neovim/neovim/commit/4fad66fbe637818b6b3d6bc5d21923ba72795040