Podatność CVE-2008-4677


Publikacja: 2008-10-22   Modyfikacja: 2012-02-12

Opis:
autoload/netrw.vim (aka the Netrw Plugin) 109, 131, and other versions before 133k for Vim 7.1.266, other 7.1 versions, and 7.2 stores credentials for an FTP session, and sends those credentials when attempting to establish subsequent FTP sessions to servers on different hosts, which allows remote FTP servers to obtain sensitive information in opportunistic circumstances by logging usernames and passwords. NOTE: the upstream vendor disputes a vector involving different ports on the same host, stating "I'm assuming that they're using the same id and password on that unchanged hostname, deliberately."

Typ:

CWE-255

(Credentials Management)

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Ogólna skala CVSS
Znaczenie
Łatwość wykorzystania
4.3/10
2.9/10
8.6/10
Wymagany dostęp
Złożoność ataku
Autoryzacja
Zdalny
Średnia
Nie wymagana
Wpływ na poufność
Wpływ na integralność
Wpływ na dostępność
Częściowy
Brak
Brak
Affected software
VIM -> Netrw 

 Referencje:
https://bugzilla.redhat.com/show_bug.cgi?id=461750
http://xforce.iss.net/xforce/xfdb/44419
http://www.vupen.com/english/advisories/2008/2379
http://www.securityfocus.com/bid/30670
http://www.securityfocus.com/archive/1/495436
http://www.securityfocus.com/archive/1/495432
http://www.rdancer.org/vulnerablevim-netrw-credentials-dis.html
http://www.openwall.com/lists/oss-security/2008/10/20/2
http://www.openwall.com/lists/oss-security/2008/10/16/2
http://www.openwall.com/lists/oss-security/2008/10/06/4
http://www.mandriva.com/security/advisories?name=MDVSA-2008:236
http://secunia.com/advisories/34418
http://secunia.com/advisories/31464
http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00004.html
http://groups.google.com/group/vim_dev/browse_thread/thread/2f6fad581a037971/a5fcf4c4981d34e6?show_docid=a5fcf4c4981d34e6

Copyright 2024, cxsecurity.com

 

Back to Top