Ubuntu.comUB:CVE-2018-11319CVE-2018-11319
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:S/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
73.6%
Syntastic (aka vim-syntastic) through 3.9.0 does not properly handle
searches for configuration files (it searches the current directory up to
potentially the root). This improper handling might be exploited for
arbitrary code execution via a malicious gcc plugin, if an attacker has
write access to a directory that is a parent of the base directory of the
project being checked. NOTE: exploitation is more difficult after 3.8.0
because filename prediction may be needed.
Bugs
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| ubuntu | 18.04 | noarch | vim-syntastic | < any | UNKNOWN |
| ubuntu | 16.04 | noarch | vim-syntastic | < 3.7.0-1+deb9u2build0.16.04.1 | UNKNOWN |
References
bugs.debian.org/894736
github.com/vim-syntastic/syntastic/commit/6d7c0b394e001233dd09ec473fbea2002c72632f
github.com/vim-syntastic/syntastic/issues/2170
launchpad.net/bugs/cve/CVE-2018-11319
nvd.nist.gov/vuln/detail/CVE-2018-11319
security-tracker.debian.org/tracker/CVE-2018-11319
www.cve.org/CVERecord?id=CVE-2018-11319
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:S/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
73.6%