Summary
| Detail | |||
|---|---|---|---|
| Vendor | Vim | First view | 2009-02-21 |
| Product | Zipplugin.Vim | Last view | 2009-02-21 |
| Version | v.21 | Type | Application |
| Update | * | ||
| Edition | * | ||
| Language | * | ||
| Sofware Edition | * | ||
| Target Software | * | ||
| Target Hardware | * | ||
| Other | * | ||
| CPE Product | cpe:2.3:a:vim:zipplugin.vim | ||
Activity : Overall
Related : CVE
| Date | Alert | Description | |
|---|---|---|---|
| 9.3 | 2009-02-21 | CVE-2008-3075 | The shellescape function in Vim 7.0 through 7.2, including 7.2a.10, allows user-assisted attackers to execute arbitrary code via the "!" (exclamation point) shell metacharacter in (1) the filename of a ZIP archive and possibly (2) the filename of the first file in a ZIP archive, which is not properly handled by zip.vim in the VIM ZIP plugin (zipPlugin.vim) v.11 through v.21, as demonstrated by the zipplugin and zipplugin.v2 test cases. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2008-2712. NOTE: this issue has the same root cause as CVE-2008-3074. NOTE: due to the complexity of the associated disclosures and the incomplete information related to them, there may be inaccuracies in this CVE description and in external mappings to this identifier. |
CWE : Common Weakness Enumeration
| % | id | Name |
|---|---|---|
| 100% (1) | CWE-94 | Failure to Control Generation of Code ('Code Injection') |
Open Source Vulnerability Database (OSVDB)
| id | Description |
|---|---|
| 52162 | Vim ZIP Plugin (zipPlugin.vim) shellescape Function Filename Handling Arbitra... |
OpenVAS Exploits
| id | Description |
|---|---|
| 2009-04-09 | Name : Mandriva Update for vim MDVSA-2008:236 (vim) File : nvt/gb_mandriva_MDVSA_2008_236.nasl |
| 2009-04-09 | Name : Mandriva Update for vim MDVSA-2008:236-1 (vim) File : nvt/gb_mandriva_MDVSA_2008_236_1.nasl |
| 2009-03-31 | Name : SuSE Security Summary SUSE-SR:2009:007 File : nvt/suse_sr_2009_007.nasl |
| 2009-03-07 | Name : Debian Security Advisory DSA 1733-1 (vim) File : nvt/deb_1733_1.nasl |
| 2009-03-06 | Name : RedHat Update for vim RHSA-2008:0580-01 File : nvt/gb_RHSA-2008_0580-01_vim.nasl |
| 2008-12-02 | Name : Vim Shell Command Injection Vulnerability (Linux) File : nvt/secpod_vim_shell_cmd_injection_vuln_lin_900412.nasl |
| 2008-12-02 | Name : Vim Shell Command Injection Vulnerability (Win) File : nvt/secpod_vim_shell_cmd_injection_vuln_win_900411.nasl |
Nessus® Vulnerability Scanner
| id | Description |
|---|---|
| 2013-07-12 | Name: The remote Oracle Linux host is missing one or more security updates. File: oraclelinux_ELSA-2008-0580.nasl - Type: ACT_GATHER_INFO |
| 2012-08-01 | Name: The remote Scientific Linux host is missing one or more security updates. File: sl_20081125_vim_on_SL3_x.nasl - Type: ACT_GATHER_INFO |
| 2010-01-06 | Name: The remote CentOS host is missing one or more security updates. File: centos_RHSA-2008-0580.nasl - Type: ACT_GATHER_INFO |
| 2009-07-21 | Name: The remote openSUSE host is missing a security update. File: suse_11_0_gvim-090225.nasl - Type: ACT_GATHER_INFO |
| 2009-07-21 | Name: The remote openSUSE host is missing a security update. File: suse_11_1_gvim-090225.nasl - Type: ACT_GATHER_INFO |
| 2009-04-23 | Name: The remote Mandriva Linux host is missing one or more security updates. File: mandriva_MDVSA-2008-236.nasl - Type: ACT_GATHER_INFO |
| 2009-03-13 | Name: The remote openSUSE host is missing a security update. File: suse_gvim-6023.nasl - Type: ACT_GATHER_INFO |
| 2009-03-04 | Name: The remote Debian host is missing a security-related update. File: debian_DSA-1733.nasl - Type: ACT_GATHER_INFO |
| 2008-11-25 | Name: The remote Red Hat host is missing one or more security updates. File: redhat-RHSA-2008-0580.nasl - Type: ACT_GATHER_INFO |
