CVE-2023-48235

2023-11-1623:15:09

Debian Security Bug Tracker

security-tracker.debian.org

vim command line text editor

overflow vulnerability

patch release 9.0.2110

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

4.9 Medium

AI Score

Confidence

High

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

0.002 Low

EPSS

Percentile

52.7%

JSON

Vim is an open source command line text editor. When parsing relative ex addresses one may unintentionally cause an overflow. Ironically this happens in the existing overflow check, because the line number becomes negative and LONG_MAX - lnum will cause the overflow. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit 060623e which has been included in release version 9.0.2110. Users are advised to upgrade. There are no known workarounds for this vulnerability.

OSVersionArchitecturePackageVersionFilename
Debian12allvim<= 2:9.0.1378-2vim_2:9.0.1378-2_all.deb
Debian11allvim<= 2:8.2.2434-3+deb11u1vim_2:8.2.2434-3+deb11u1_all.deb
Debian10allvim<= 2:8.1.0875-5+deb10u2vim_2:8.1.0875-5+deb10u2_all.deb
Debian999allvim< 2:9.0.2116-1vim_2:9.0.2116-1_all.deb
Debian13allvim< 2:9.0.2116-1vim_2:9.0.2116-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	vim	<= 2:9.0.1378-2	vim_2:9.0.1378-2_all.deb
Debian	11	all	vim	<= 2:8.2.2434-3+deb11u1	vim_2:8.2.2434-3+deb11u1_all.deb
Debian	10	all	vim	<= 2:8.1.0875-5+deb10u2	vim_2:8.1.0875-5+deb10u2_all.deb
Debian	999	all	vim	< 2:9.0.2116-1	vim_2:9.0.2116-1_all.deb
Debian	13	all	vim	< 2:9.0.2116-1	vim_2:9.0.2116-1_all.deb