CVE-2018-11319

Exploit

EPSS 0.84%
Veröffentlicht 20.05.2018 20:29:00
Zuletzt bearbeitet 21.11.2024 03:43:07
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

Syntastic (aka vim-syntastic) through 3.9.0 does not properly handle searches for configuration files (it searches the current directory up to potentially the root). This improper handling might be exploited for arbitrary code execution via a malicious gcc plugin, if an attacker has write access to a directory that is a parent of the base directory of the project being checked. NOTE: exploitation is more difficult after 3.8.0 because filename prediction may be needed.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 8

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Syntastic Project ≫ Syntastic SwPlatformvim Version <= 3.9.0

Debian ≫ Debian Linux Version8.0

Debian ≫ Debian Linux Version9.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.84%	0.739

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	1.6	5.9	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	8.5	6.8	10	AV:N/AC:M/Au:S/C:C/I:C/A:C

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

https://bugs.debian.org/894736

Third Party Advisory

Exploit

Issue Tracking

https://github.com/vim-syntastic/syntastic/commit/6d7c0b394e001233dd09ec473fbea2002c72632f

Patch

Third Party Advisory

https://github.com/vim-syntastic/syntastic/issues/2170

Third Party Advisory

Exploit

Issue Tracking

https://lists.debian.org/debian-lts-announce/2018/07/msg00036.html