CVE-2008-4677

Sažetak

autoload/netrw.vim (aka the Netrw Plugin) 109, 131, and other versions before 133k for Vim 7.1.266, other 7.1 versions, and 7.2 stores credentials for an FTP session, and sends those credentials when attempting to establish subsequent FTP sessions to servers on different hosts, which allows remote FTP servers to obtain sensitive information in opportunistic circumstances by logging usernames and passwords. NOTE: the upstream vendor disputes a vector involving different ports on the same host, stating "I'm assuming that they're using the same id and password on that unchanged hostname, deliberately."

Reference

http://groups.google.com/group/vim_dev/browse_thread/thread/2f6fad581a037971/a5fcf4c4981d34e6?show_docid=a5fcf4c4981d34e6
http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00004.html
http://secunia.com/advisories/31464
http://secunia.com/advisories/34418
http://www.mandriva.com/security/advisories?name=MDVSA-2008:236
http://www.openwall.com/lists/oss-security/2008/10/06/4
http://www.openwall.com/lists/oss-security/2008/10/16/2
http://www.openwall.com/lists/oss-security/2008/10/20/2
http://www.rdancer.org/vulnerablevim-netrw-credentials-dis.html
http://www.securityfocus.com/archive/1/495432
http://www.securityfocus.com/archive/1/495436
http://www.securityfocus.com/bid/30670
http://www.vupen.com/english/advisories/2008/2379
https://bugzilla.redhat.com/show_bug.cgi?id=461750
https://exchange.xforce.ibmcloud.com/vulnerabilities/44419

CVSS

Base:	4.3
Impact:	2.9
Exploitability:	8.6

Pristup

Vektor	Složenost	Autentikacija
NETWORK	MEDIUM	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	NONE	NONE

CVSS vektor

AV:N/AC:M/Au:N/C:P/I:N/A:N

Zadnje važnije ažuriranje

08-08-2017 - 01:32

Objavljeno

22-10-2008 - 18:00