7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.4 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
17.4%
Opening files from an untrusted directory can lead to execution of arbitrary commands on Windows systems,
this is possible by having a malicious file with the same name as a trusted executable,
Windows gives priority to the current directory when searching for executables.
Several built-in plugins execute commands when opening files,
for example, the Perl plugin (runtime/ftplugin/perl.vim
)
executes the perl
command when opening a Perl file.
@echo off
echo hacked! > pwned.txt
filetype plugin on
vim test.pl
This vulnerability can be exploited by other plugins,
like zip.vim (runtime/ftplugin/zip.vim
) which executes the unzip
command
when opening a zip file.
This vulnerability is similar to CVE-2021-3013 and CVE-2022-41953.
Note that this affects all plugins that execute commands (make calls to system()
) on Windows systems.
I was able to reproduce this on Windows 10 with GVim, Vim on Powershell and Vim on the normal CMD.
NeedCurrentDirectoryForExePath
CreateProcessW
?7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.4 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
17.4%