CVE-2019-12735 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.6 HIGH	LOCAL	LOW	NONE	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
mitre	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 97%

Vendor	Product	Version
vim	vim	𝑥 < 8.1.1365
neovim	neovim	𝑥 < 0.3.6

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

neovim

bullseye	0.4.4-1 fixed
bookworm	0.7.2-7 fixed
sid	0.9.5-10 fixed
trixie	0.9.5-10 fixed

vim

bullseye	2:8.2.2434-3+deb11u1 fixed
bookworm	2:9.0.1378-2 fixed
sid	2:9.1.0777-1 fixed
trixie	2:9.1.0777-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

neovim

lunar	not-affected
kinetic	not-affected
jammy	not-affected
impish	not-affected
hirsute	not-affected
groovy	not-affected
focal	not-affected
eoan	not-affected
disco	Fixed 0.3.4-1ubuntu0.19.04.1 released
cosmic	Fixed 0.3.1-1ubuntu0.1 released
bionic	Fixed 0.2.2-3ubuntu0.1~esm1 released
xenial	dne
trusty	dne

vim

lunar	Fixed 2:8.1.0875-4ubuntu1 released
kinetic	Fixed 2:8.1.0875-4ubuntu1 released
jammy	Fixed 2:8.1.0875-4ubuntu1 released
impish	Fixed 2:8.1.0875-4ubuntu1 released
hirsute	Fixed 2:8.1.0875-4ubuntu1 released
groovy	Fixed 2:8.1.0875-4ubuntu1 released
focal	Fixed 2:8.1.0875-4ubuntu1 released
eoan	Fixed 2:8.1.0875-4ubuntu1 released
disco	Fixed 2:8.1.0320-1ubuntu3.1 released
cosmic	Fixed 2:8.0.1766-1ubuntu1.1 released
bionic	Fixed 2:8.0.1453-1ubuntu1.1 released
xenial	Fixed 2:7.4.1689-3ubuntu1.3 released
trusty	not-affected

Known Exploits!

Common Weakness Enumeration

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00031.html

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00036.html

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00037.html

http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00034.html

http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00050.html

http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00075.html

http://www.securityfocus.com/bid/108724

https://access.redhat.com/errata/RHSA-2019:1619

https://access.redhat.com/errata/RHSA-2019:1774

https://access.redhat.com/errata/RHSA-2019:1793

https://access.redhat.com/errata/RHSA-2019:1947

https://bugs.debian.org/930020

https://bugs.debian.org/930024

https://github.com/neovim/neovim/pull/10082

https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md

https://github.com/vim/vim/commit/53575521406739cf20bbe4e384d88e7dca11f040

https://lists.debian.org/debian-lts-announce/2019/08/msg00003.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2BMDSHTF754TITC6AQJPCS5IRIDMMIM7/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TRIRBC2YRGKPAWVRMZS4SZTGGCVRVZPR/

https://seclists.org/bugtraq/2019/Jul/39

https://seclists.org/bugtraq/2019/Jun/33

https://security.gentoo.org/glsa/202003-04

https://support.f5.com/csp/article/K93144355

https://support.f5.com/csp/article/K93144355?utm_source=f5support&amp%3Butm_medium=RSS

https://usn.ubuntu.com/4016-1/

https://usn.ubuntu.com/4016-2/

https://www.debian.org/security/2019/dsa-4467

https://www.debian.org/security/2019/dsa-4487

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00031.html

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00036.html

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00037.html

http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00034.html

http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00050.html

http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00075.html

http://www.securityfocus.com/bid/108724

https://access.redhat.com/errata/RHSA-2019:1619

https://access.redhat.com/errata/RHSA-2019:1774

https://access.redhat.com/errata/RHSA-2019:1793

https://access.redhat.com/errata/RHSA-2019:1947

https://bugs.debian.org/930020

https://bugs.debian.org/930024

https://github.com/neovim/neovim/pull/10082

https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md

https://github.com/vim/vim/commit/53575521406739cf20bbe4e384d88e7dca11f040

https://lists.debian.org/debian-lts-announce/2019/08/msg00003.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2BMDSHTF754TITC6AQJPCS5IRIDMMIM7/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TRIRBC2YRGKPAWVRMZS4SZTGGCVRVZPR/

https://seclists.org/bugtraq/2019/Jul/39

https://seclists.org/bugtraq/2019/Jun/33

https://security.gentoo.org/glsa/202003-04

https://support.f5.com/csp/article/K93144355

https://support.f5.com/csp/article/K93144355?utm_source=f5support&amp%3Butm_medium=RSS

https://usn.ubuntu.com/4016-1/

https://usn.ubuntu.com/4016-2/

https://www.debian.org/security/2019/dsa-4467

https://www.debian.org/security/2019/dsa-4487