CVE-2008-4677

2008-10-2218:00:00

Debian Security Bug Tracker

security-tracker.debian.org

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

EPSS

0.002

Percentile

61.4%

JSON

autoload/netrw.vim (aka the Netrw Plugin) 109, 131, and other versions before 133k for Vim 7.1.266, other 7.1 versions, and 7.2 stores credentials for an FTP session, and sends those credentials when attempting to establish subsequent FTP sessions to servers on different hosts, which allows remote FTP servers to obtain sensitive information in opportunistic circumstances by logging usernames and passwords. NOTE: the upstream vendor disputes a vector involving different ports on the same host, stating “I’m assuming that they’re using the same id and password on that unchanged hostname, deliberately.”

OSVersionArchitecturePackageVersionFilename
Debian12allvim<= 2:9.0.1378-2vim_2:9.0.1378-2_all.deb
Debian11allvim<= 2:8.2.2434-3+deb11u1vim_2:8.2.2434-3+deb11u1_all.deb
Debian999allvim<= 2:9.1.0709-1vim_2:9.1.0709-1_all.deb
Debian13allvim<= 2:9.1.0496-1vim_2:9.1.0496-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	vim	<= 2:9.0.1378-2	vim_2:9.0.1378-2_all.deb
Debian	11	all	vim	<= 2:8.2.2434-3+deb11u1	vim_2:8.2.2434-3+deb11u1_all.deb
Debian	999	all	vim	<= 2:9.1.0709-1	vim_2:9.1.0709-1_all.deb
Debian	13	all	vim	<= 2:9.1.0496-1	vim_2:9.1.0496-1_all.deb