HTTP: Vim Modelines Remote Command Execution
A command execution vulnerability has been reported in Vim. The vulnerability is due to a lack of input validation when processing modeline values for filetype, keymap, and syntax. A remote attacker can exploit this vulnerability by enticing a user to open a crafted file in Vim. Successful exploitation could result in the execution of arbitrary commands under the context of the target user.
Extended Description
vim before patch 8.0.0056 does not properly validate values for the 'filetype', 'syntax' and 'keymap' options, which may result in the execution of arbitrary code if a file with a specially crafted modeline is opened.
Affected Products
Vim vim
Short Name
HTTP:STC:VIM-MODELINES-RCE
Severity
Major
Recommended
True
Recommended Action
Drop
Category
HTTP
Keywords
CVE-2016-1248 Command Execution Modelines Remote Vim
Release Date
01/09/2017
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3590
False Positive
Unknown
Vendors
Debian
Vim
CVSS Score
6.8