CVE-2016-1248

EPSS 23.18%
Veröffentlicht 23.11.2016 15:59:00
Zuletzt bearbeitet 12.04.2025 10:46:40
Quelle security@debian.org
Teams Watchlist Login
Unerledigt Login

vim before patch 8.0.0056 does not properly validate values for the 'filetype', 'syntax' and 'keymap' options, which may result in the execution of arbitrary code if a file with a specially crafted modeline is opened.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 16

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Vim ≫ Vim Version <= 8.0.0055

Debian ≫ Debian Linux Version8.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	23.18%	0.954

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://openwall.com/lists/oss-security/2016/11/22/20

Patch

Third Party Advisory

http://rhn.redhat.com/errata/RHSA-2016-2972.html

http://www.debian.org/security/2016/dsa-3722

http://www.securityfocus.com/bid/94478

http://www.securitytracker.com/id/1037338

http://www.ubuntu.com/usn/USN-3139-1

https://anonscm.debian.org/cgit/pkg-vim/vim.git/tree/debian/changelog

Patch

Third Party Advisory

https://github.com/neovim/neovim/commit/4fad66fbe637818b6b3d6bc5d21923ba72795040