Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2008-4677

Overview

Vulnerability Score 4.3 4.3
CVE Id CVE-2008-4677
Last Modified 01 Apr 2009 01:37:52
Published 22 Oct 2008 02:00:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2008-4677

Summary

autoload/netrw.vim (aka the Netrw Plugin) 109, 131, and other versions before 133k for Vim 7.1.266, other 7.1 versions, and 7.2 stores credentials for an FTP session, and sends those credentials when attempting to establish subsequent FTP sessions to servers on different hosts, which allows remote FTP servers to obtain sensitive information in opportunistic circumstances by logging usernames and passwords. NOTE: the upstream vendor disputes a vector involving different ports on the same host, stating "I'm assuming that they're using the same id and password on that unchanged hostname, deliberately."

Vulnerable Systems

Application

  • Vim Netrw 109

  • Vim Netrw 110

  • Vim Netrw 111

  • Vim Netrw 112

  • Vim Netrw 113

  • Vim Netrw 114

  • Vim Netrw 115

  • Vim Netrw 116

  • Vim Netrw 118

  • Vim Netrw 120

  • Vim Netrw 121

  • Vim Netrw 122

  • Vim Netrw 123

  • Vim Netrw 128

  • Vim Netrw 131


References

CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=461750

XF - vim-netrw-ftp-information-disclosure(44419)

VUPEN - ADV-2008-2379

BID - 30670

BUGTRAQ - 20080812 Vim: Netrw: FTP User Name and Password Disclosure

BUGTRAQ - 20080812 Re: Vim: Netrw: FTP User Name and Password Disclosure

MISC - http://www.rdancer.org/vulnerablevim-netrw-credentials-dis.html

MLIST - [oss-security] 20081020 CVE request (vim)

MLIST - [oss-security] 20081016 CVE request - Vim netrw.plugin

MLIST - [oss-security] 20081006 CVE request - (vim : netrw plugin - ftp user credentials disclosure)

MANDRIVA - MDVSA-2008:236

SECUNIA - 34418

SECUNIA - 31464

SUSE - SUSE-SR:2009:007

MLIST - [vim_dev] 20080817 Re: Anyone fixing SA31464?


Last Updated: 27 May 2016 10:48:35