CVE-2008-2712: Input Validation
First published: Sun Jun 15 2008(Updated: )
Common Vulnerabilities and Exposures assigned an identifier <a href="https://access.redhat.com/security/cve/CVE-2008-2712">CVE-2008-2712</a> to the following vulnerability: Vim 7.1.314, 6.4, and other versions allows user-assisted remote attackers to execute arbitrary commands via Vim scripts that do not properly sanitize inputs before invoking the execute or system functions, as demonstrated using (1) filetype.vim, (2) zipplugin, (3) xpm.vim, (4) gzip_vim, and (5) netrw. References: <a href="http://www.rdancer.org/vulnerablevim.html">http://www.rdancer.org/vulnerablevim.html</a> <a href="http://www.securityfocus.com/archive/1/archive/1/493352/100/0/threaded">http://www.securityfocus.com/archive/1/archive/1/493352/100/0/threaded</a> <a href="http://www.securityfocus.com/archive/1/archive/1/493353/100/0/threaded">http://www.securityfocus.com/archive/1/archive/1/493353/100/0/threaded</a> <a href="http://marc.info/?l=bugtraq&m=121345541027231&w=4">http://marc.info/?l=bugtraq&m=121345541027231&w=4</a> <a href="http://www.openwall.com/lists/oss-security/2008/06/16/2">http://www.openwall.com/lists/oss-security/2008/06/16/2</a> <a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=486502">http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=486502</a>
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/vim | <1:6.3.046-1.el4_7.5 | 1:6.3.046-1.el4_7.5 |
| redhat/vim | <2:7.0.109-4.el5_2.4 | 2:7.0.109-4.el5_2.4 |
| Vim | <=6.4 | |
| Vim | >=7.0<=7.1.314 | |
| Ubuntu Linux | =6.06 | |
| Ubuntu Linux | =7.10 | |
| Ubuntu Linux | =8.04 | |
| Ubuntu Linux | =8.10 | |
| Ubuntu | =6.06 | |
| Ubuntu | =7.10 | |
| Ubuntu | =8.04 | |
| Ubuntu | =8.10 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.rdancer.org/vulnerablevim.html
- http://www.openwall.com/lists/oss-security/2008/06/16/2
- http://www.securityfocus.com/bid/29715
- http://secunia.com/advisories/30731
- http://www.securitytracker.com/id?1020293
- https://issues.rpath.com/browse/RPL-2622
- http://wiki.rpath.com/Advisories:rPSA-2008-0247
- http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html
- http://www.securityfocus.com/bid/31681
- http://support.apple.com/kb/HT3216
- http://secunia.com/advisories/32222
- http://secunia.com/advisories/33410
- http://support.avaya.com/elmodocs2/security/ASA-2009-001.htm
- http://www.ubuntu.com/usn/USN-712-1
- http://securityreason.com/securityalert/3951
- http://www.redhat.com/support/errata/RHSA-2008-0617.html
- http://www.redhat.com/support/errata/RHSA-2008-0580.html
- http://marc.info/?l=bugtraq&m=121494431426308&w=2
- http://www.openwall.com/lists/oss-security/2008/10/15/1
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:236
- http://support.avaya.com/elmodocs2/security/ASA-2008-457.htm
- http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00004.html
- http://secunia.com/advisories/34418
- http://www.vmware.com/security/advisories/VMSA-2009-0004.html
- http://www.vupen.com/english/advisories/2009/0904
- http://support.apple.com/kb/HT4077
- http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
- http://www.vupen.com/english/advisories/2009/0033
- http://www.vupen.com/english/advisories/2008/1851/references
- http://www.vupen.com/english/advisories/2008/2780
- http://secunia.com/advisories/32858
- http://secunia.com/advisories/32864
- http://www.redhat.com/support/errata/RHSA-2008-0618.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/43083
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6238
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11109
- http://www.securityfocus.com/archive/1/502322/100/0/threaded
- http://www.securityfocus.com/archive/1/495319/100/0/threaded
- http://www.securityfocus.com/archive/1/493353/100/0/threaded
- http://www.securityfocus.com/archive/1/493352/100/0/threaded
- https://access.redhat.com/security/cve/CVE-2008-2712
- http://www.securityfocus.com/archive/1/archive/1/493352/100/0/threaded
- http://www.securityfocus.com/archive/1/archive/1/493353/100/0/threaded
- http://marc.info/?l=bugtraq&m=121345541027231&w=4
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=486502
- https://bugzilla.redhat.com/show_bug.cgi/ftp:/ftp.vim.org/pub/vim/patches/7.1/7.1.299
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=311587
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=311587&action=edit
- http://www.rdancer.org/vulnerablevim.tar.bz2
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=455023
- http://www.rdancer.org/vulnerablevim.2008-07-13.tar.bz2
- http://www.rdancer.org/vulnerablevim-index.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=461745
- http://rhn.redhat.com/errata/RHSA-2008-0580.html
- http://rhn.redhat.com/errata/RHSA-2008-0617.html
- http://rhn.redhat.com/errata/RHSA-2008-0618.html
- https://admin.fedoraproject.org/updates/F9/FEDORA-2008-10587
- https://admin.fedoraproject.org/updates/F10/FEDORA-2008-10644
- https://bugzilla.redhat.com/show_bug.cgi?id=451759
- https://www.cve.org/CVERecord?id=CVE-2008-2712 https://nvd.nist.gov/vuln/detail/CVE-2008-2712
- https://access.redhat.com/errata/RHSA-2008:0618
- https://access.redhat.com/errata/RHSA-2008:0617
- https://access.redhat.com/errata/RHSA-2008:0580
- https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2008-2712.json
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2008-2712?
CVE-2008-2712 is classified as a medium severity vulnerability due to its requirement for user assistance to exploit.
How do I fix CVE-2008-2712?
To fix CVE-2008-2712, update Vim to a version higher than 7.1.314 or apply patches provided by your operating system vendor.
What software is affected by CVE-2008-2712?
CVE-2008-2712 affects multiple versions of Vim, including 6.4, and up to 7.1.314.
What type of attacks can exploit CVE-2008-2712?
CVE-2008-2712 can be exploited by user-assisted remote attackers to execute arbitrary commands through Vim scripts.
Is CVE-2008-2712 still a concern today?
While CVE-2008-2712 was identified in 2008, it is crucial to ensure all systems are updated to mitigate any potential residual risks.
- agent/type
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2008-2712
- collector/redhat-cve
- agent/software-canonical-lookup
- agent/description
- agent/author
- agent/severity
- agent/weakness
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/nvd-historical
- package-manager/redhat
- vendor/vim
- canonical/vim
- version/vim/6.4
- version/vim/7.0
- version/vim/7.1.314
- vendor/canonical
- canonical/ubuntu linux
- version/ubuntu linux/6.06
- version/ubuntu linux/7.10
- version/ubuntu linux/8.04
- version/ubuntu linux/8.10
- canonical/ubuntu
- version/ubuntu/6.06
- version/ubuntu/7.10
- version/ubuntu/8.04
- version/ubuntu/8.10