9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.6 High
AI Score
Confidence
Low
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.009 Low
EPSS
Percentile
82.4%
Issue Overview:
2024-02-14: CVE-2021-3778 was added to this advisory.
2024-02-14: CVE-2021-3875 was added to this advisory.
2024-02-14: CVE-2021-3872 was added to this advisory.
A flaw was found in vim. A possible heap-based buffer overflow could allow an attacker to input a specially crafted file leading to a crash or code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2021-3778)
An out-of-bounds write flaw was found in vim’s drawscreen.c win_redr_status() function. This flaw allows an attacker to trick a user to open a crafted file with specific arguments in vim, triggering an out-of-bounds write. The highest threat from this vulnerability is to confidentiality, integrity, and system availability. (CVE-2021-3872)
There’s an out-of-bounds read flaw in Vim’s ex_docmd.c. An attacker who is capable of tricking a user into opening a specially crafted file could trigger an out-of-bounds read on a memmove operation, potentially causing an impact to application availability. (CVE-2021-3875)
It was found that vim was vulnerable to use-after-free flaw in the way it was treating allocated lines in user functions. A specially crafted file could crash the vim process or possibly lead to other undefined behaviors. (CVE-2022-0156)
It was found that vim was vulnerable to a 1 byte heap based out of bounds read flaw in the compile_get_env()
function. A file could use that flaw to disclose 1 byte of vim’s internal memory. (CVE-2022-0158)
A flaw was found in vim. The vulnerability occurs due to not checking the length for the NameBuff function, which can lead to a heap buffer overflow. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution. (CVE-2022-0213)
A heap based out-of-bounds write flaw was found in vim’s ops.c. This flaw allows an attacker to trick a user to open a crafted file triggering an out-of-bounds write. This vulnerability is capable of crashing software, modify memory, and possible code execution. (CVE-2022-0261)
A flaw was found in vim. The vulnerability occurs due to reading beyond the end of a line in the utf_head_off function, which can lead to a heap buffer overflow. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution. (CVE-2022-0318)
A flaw was found in vim. The vulnerability occurs due to too many recursions, which can lead to a segmentation fault. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution. (CVE-2022-0351)
A flaw was found in vim. The vulnerability occurs due to Illegal memory access with large tabstop in Ex mode, which can lead to a heap buffer overflow. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution. (CVE-2022-0359)
Affected Packages:
vim
Issue Correction:
Run yum update vim to update your system.
New Packages:
i686:
vim-minimal-8.2.4314-1.1.amzn1.i686
vim-enhanced-8.2.4314-1.1.amzn1.i686
vim-common-8.2.4314-1.1.amzn1.i686
vim-debuginfo-8.2.4314-1.1.amzn1.i686
noarch:
vim-filesystem-8.2.4314-1.1.amzn1.noarch
vim-data-8.2.4314-1.1.amzn1.noarch
src:
vim-8.2.4314-1.1.amzn1.src
x86_64:
vim-common-8.2.4314-1.1.amzn1.x86_64
vim-enhanced-8.2.4314-1.1.amzn1.x86_64
vim-minimal-8.2.4314-1.1.amzn1.x86_64
vim-debuginfo-8.2.4314-1.1.amzn1.x86_64
Red Hat: CVE-2021-3778, CVE-2021-3872, CVE-2021-3875, CVE-2022-0156, CVE-2022-0158, CVE-2022-0213, CVE-2022-0261, CVE-2022-0318, CVE-2022-0351, CVE-2022-0359
Mitre: CVE-2021-3778, CVE-2021-3872, CVE-2021-3875, CVE-2022-0156, CVE-2022-0158, CVE-2022-0213, CVE-2022-0261, CVE-2022-0318, CVE-2022-0351, CVE-2022-0359
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Amazon Linux | 1 | i686 | vim-minimal | < 8.2.4314-1.1.amzn1 | vim-minimal-8.2.4314-1.1.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | vim-enhanced | < 8.2.4314-1.1.amzn1 | vim-enhanced-8.2.4314-1.1.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | vim-common | < 8.2.4314-1.1.amzn1 | vim-common-8.2.4314-1.1.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | vim-debuginfo | < 8.2.4314-1.1.amzn1 | vim-debuginfo-8.2.4314-1.1.amzn1.i686.rpm |
Amazon Linux | 1 | noarch | vim-filesystem | < 8.2.4314-1.1.amzn1 | vim-filesystem-8.2.4314-1.1.amzn1.noarch.rpm |
Amazon Linux | 1 | noarch | vim-data | < 8.2.4314-1.1.amzn1 | vim-data-8.2.4314-1.1.amzn1.noarch.rpm |
Amazon Linux | 1 | x86_64 | vim-common | < 8.2.4314-1.1.amzn1 | vim-common-8.2.4314-1.1.amzn1.x86_64.rpm |
Amazon Linux | 1 | x86_64 | vim-enhanced | < 8.2.4314-1.1.amzn1 | vim-enhanced-8.2.4314-1.1.amzn1.x86_64.rpm |
Amazon Linux | 1 | x86_64 | vim-minimal | < 8.2.4314-1.1.amzn1 | vim-minimal-8.2.4314-1.1.amzn1.x86_64.rpm |
Amazon Linux | 1 | x86_64 | vim-debuginfo | < 8.2.4314-1.1.amzn1 | vim-debuginfo-8.2.4314-1.1.amzn1.x86_64.rpm |
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.6 High
AI Score
Confidence
Low
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.009 Low
EPSS
Percentile
82.4%