Main Vulnerability Database SB2020101419

SB2020101419 - Ubuntu update for vim

Published: October 14, 2020 Updated: April 23, 2025

Security Bulletin ID SB2020101419

Severity

Low

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Local access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2017-17087)

The vulnerability allows a local authenticated user to gain access to sensitive information.

fileio.c in Vim prior to 8.0.1263 sets the group ownership of a .swp file to the editor's primary group (which may be different from the group ownership of the original file), which allows local users to obtain sensitive information by leveraging an applicable group membership, as demonstrated by /etc/shadow owned by root:shadow mode 0640, but /etc/.shadow.swp owned by root:users mode 0640, a different vulnerability than CVE-2017-1000382.

2) OS Command Injection (CVE-ID: CVE-2019-20807)

The vulnerability allows a local authenticated user to read and manipulate data.

In Vim before 8.1.0881, users can circumvent the rvim restricted mode and execute arbitrary OS commands via scripting interfaces (e.g., Python, Ruby, or Lua).

Remediation

Install update from vendor's website.

References

https://ubuntu.com/security/notices/USN-4582-1