Input validation error in neovim (Alpine package)

1) Input validation error

EUVDB-ID: #VU33140

Risk: High

CVSSv4.0: 7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2016-1248

CWE-ID: CWE-20 - Improper input validation

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to compromise the affected system.

im before patch 8.0.0056 does not properly validate values for the 'filetype', 'syntax' and 'keymap' options, which may result in the execution of arbitrary code if a file with a specially crafted modeline is opened.

Mitigation

Install update from vendor's website.

Vulnerable software versions

neovim (Alpine package): 0.1.6-r0

CPE2.3

• cpe:2.3:o:alpine:neovim_alpine_package:0.1.6-r0:*:*:*:*:alpine_linux:*:3.4

External links

https://git.alpinelinux.org/aports/commit/?id=5f92eb8ad10133c22508f7e1ab4e46b4eb842ef7
https://git.alpinelinux.org/aports/commit/?id=f5bf7a6023c0e044a089cc7cf27278c45e55b064
https://git.alpinelinux.org/aports/commit/?id=c89b10e08390d23d8fb52750a487c0148042f6d8
https://git.alpinelinux.org/aports/commit/?id=70ab2cf105d1d6be0272ef2213cbe36bd59c52c6
https://git.alpinelinux.org/aports/commit/?id=6d469b11e8c82736a7bed57a91c13b5390d043f7
https://git.alpinelinux.org/aports/commit/?id=5fc22268ac01224cf8d42da3530fe5dd9cb1cc31
https://git.alpinelinux.org/aports/commit/?id=39df8950b2072203f0c6afec938c35be8d28be51
https://git.alpinelinux.org/aports/commit/?id=a251cd9a99ff34d7a2d4deac5548ea4a322c1bba
https://git.alpinelinux.org/aports/commit/?id=a6f793639714d97c60d21c8b74df9b9c9a4b64f1
https://git.alpinelinux.org/aports/commit/?id=4334497e10a06b4bf609c459421f38f4f107273e

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.