Amazon Linux AMI update for vim
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 13 |
| CVE-ID | CVE-2021-3903 CVE-2021-3927 CVE-2021-3928 CVE-2021-3968 CVE-2021-3973 CVE-2021-3974 CVE-2021-3984 CVE-2021-4019 CVE-2021-4069 CVE-2021-4136 CVE-2021-4166 CVE-2021-4173 CVE-2021-4187 |
| CWE-ID | CWE-122 CWE-457 CWE-416 CWE-787 CWE-125 CWE-415 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Amazon Linux AMI Operating systems & Components / Operating system vim Operating systems & Components / Operating system package or component |
| Vendor | Amazon Web Services |
Security Bulletin
This security bulletin contains information about 13 vulnerabilities.
1) Heap-based buffer overflow
EUVDB-ID: #VU63060
Risk: High
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2021-3903
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
vim-minimal-8.2.4006-1.1.amzn1.i686
vim-enhanced-8.2.4006-1.1.amzn1.i686
vim-common-8.2.4006-1.1.amzn1.i686
vim-debuginfo-8.2.4006-1.1.amzn1.i686
noarch:
vim-data-8.2.4006-1.1.amzn1.noarch
vim-filesystem-8.2.4006-1.1.amzn1.noarch
src:
vim-8.2.4006-1.1.amzn1.src
x86_64:
vim-enhanced-8.2.4006-1.1.amzn1.x86_64
vim-minimal-8.2.4006-1.1.amzn1.x86_64
vim-debuginfo-8.2.4006-1.1.amzn1.x86_64
vim-common-8.2.4006-1.1.amzn1.x86_64
Amazon Linux AMI: All versions
vim: before 8.2.4006-1.1
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*
- cpe:2.3:o:amazon_web_services:vim:*:*:*:*:*:amazon_linux_ami:*:*
https://alas.aws.amazon.com/ALAS-2022-1557.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Heap-based buffer overflow
EUVDB-ID: #VU63057
Risk: High
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2021-3927
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
vim-minimal-8.2.4006-1.1.amzn1.i686
vim-enhanced-8.2.4006-1.1.amzn1.i686
vim-common-8.2.4006-1.1.amzn1.i686
vim-debuginfo-8.2.4006-1.1.amzn1.i686
noarch:
vim-data-8.2.4006-1.1.amzn1.noarch
vim-filesystem-8.2.4006-1.1.amzn1.noarch
src:
vim-8.2.4006-1.1.amzn1.src
x86_64:
vim-enhanced-8.2.4006-1.1.amzn1.x86_64
vim-minimal-8.2.4006-1.1.amzn1.x86_64
vim-debuginfo-8.2.4006-1.1.amzn1.x86_64
vim-common-8.2.4006-1.1.amzn1.x86_64
Amazon Linux AMI: All versions
vim: before 8.2.4006-1.1
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*
- cpe:2.3:o:amazon_web_services:vim:*:*:*:*:*:amazon_linux_ami:*:*
https://alas.aws.amazon.com/ALAS-2022-1557.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Use of Uninitialized Variable
EUVDB-ID: #VU63052
Risk: High
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2021-3928
CWE-ID:
CWE-457 - Use of Uninitialized Variable
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to parsing uninitialized variable. A remote attacker can trick a victim to open a specially crafted file and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
vim-minimal-8.2.4006-1.1.amzn1.i686
vim-enhanced-8.2.4006-1.1.amzn1.i686
vim-common-8.2.4006-1.1.amzn1.i686
vim-debuginfo-8.2.4006-1.1.amzn1.i686
noarch:
vim-data-8.2.4006-1.1.amzn1.noarch
vim-filesystem-8.2.4006-1.1.amzn1.noarch
src:
vim-8.2.4006-1.1.amzn1.src
x86_64:
vim-enhanced-8.2.4006-1.1.amzn1.x86_64
vim-minimal-8.2.4006-1.1.amzn1.x86_64
vim-debuginfo-8.2.4006-1.1.amzn1.x86_64
vim-common-8.2.4006-1.1.amzn1.x86_64
Amazon Linux AMI: All versions
vim: before 8.2.4006-1.1
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*
- cpe:2.3:o:amazon_web_services:vim:*:*:*:*:*:amazon_linux_ami:*:*
https://alas.aws.amazon.com/ALAS-2022-1557.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Heap-based buffer overflow
EUVDB-ID: #VU63047
Risk: High
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2021-3968
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
vim-minimal-8.2.4006-1.1.amzn1.i686
vim-enhanced-8.2.4006-1.1.amzn1.i686
vim-common-8.2.4006-1.1.amzn1.i686
vim-debuginfo-8.2.4006-1.1.amzn1.i686
noarch:
vim-data-8.2.4006-1.1.amzn1.noarch
vim-filesystem-8.2.4006-1.1.amzn1.noarch
src:
vim-8.2.4006-1.1.amzn1.src
x86_64:
vim-enhanced-8.2.4006-1.1.amzn1.x86_64
vim-minimal-8.2.4006-1.1.amzn1.x86_64
vim-debuginfo-8.2.4006-1.1.amzn1.x86_64
vim-common-8.2.4006-1.1.amzn1.x86_64
Amazon Linux AMI: All versions
vim: before 8.2.4006-1.1
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*
- cpe:2.3:o:amazon_web_services:vim:*:*:*:*:*:amazon_linux_ami:*:*
https://alas.aws.amazon.com/ALAS-2022-1557.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Heap-based buffer overflow
EUVDB-ID: #VU63051
Risk: High
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2021-3973
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
vim-minimal-8.2.4006-1.1.amzn1.i686
vim-enhanced-8.2.4006-1.1.amzn1.i686
vim-common-8.2.4006-1.1.amzn1.i686
vim-debuginfo-8.2.4006-1.1.amzn1.i686
noarch:
vim-data-8.2.4006-1.1.amzn1.noarch
vim-filesystem-8.2.4006-1.1.amzn1.noarch
src:
vim-8.2.4006-1.1.amzn1.src
x86_64:
vim-enhanced-8.2.4006-1.1.amzn1.x86_64
vim-minimal-8.2.4006-1.1.amzn1.x86_64
vim-debuginfo-8.2.4006-1.1.amzn1.x86_64
vim-common-8.2.4006-1.1.amzn1.x86_64
Amazon Linux AMI: All versions
vim: before 8.2.4006-1.1
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*
- cpe:2.3:o:amazon_web_services:vim:*:*:*:*:*:amazon_linux_ami:*:*
https://alas.aws.amazon.com/ALAS-2022-1557.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Use-after-free
EUVDB-ID: #VU63058
Risk: High
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2021-3974
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a use-after-free error. A remote attacker can trick the victim to open a specially crafted file, trigger a use-after-free error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
vim-minimal-8.2.4006-1.1.amzn1.i686
vim-enhanced-8.2.4006-1.1.amzn1.i686
vim-common-8.2.4006-1.1.amzn1.i686
vim-debuginfo-8.2.4006-1.1.amzn1.i686
noarch:
vim-data-8.2.4006-1.1.amzn1.noarch
vim-filesystem-8.2.4006-1.1.amzn1.noarch
src:
vim-8.2.4006-1.1.amzn1.src
x86_64:
vim-enhanced-8.2.4006-1.1.amzn1.x86_64
vim-minimal-8.2.4006-1.1.amzn1.x86_64
vim-debuginfo-8.2.4006-1.1.amzn1.x86_64
vim-common-8.2.4006-1.1.amzn1.x86_64
Amazon Linux AMI: All versions
vim: before 8.2.4006-1.1
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*
- cpe:2.3:o:amazon_web_services:vim:*:*:*:*:*:amazon_linux_ami:*:*
https://alas.aws.amazon.com/ALAS-2022-1557.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Heap-based buffer overflow
EUVDB-ID: #VU63049
Risk: High
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2021-3984
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
vim-minimal-8.2.4006-1.1.amzn1.i686
vim-enhanced-8.2.4006-1.1.amzn1.i686
vim-common-8.2.4006-1.1.amzn1.i686
vim-debuginfo-8.2.4006-1.1.amzn1.i686
noarch:
vim-data-8.2.4006-1.1.amzn1.noarch
vim-filesystem-8.2.4006-1.1.amzn1.noarch
src:
vim-8.2.4006-1.1.amzn1.src
x86_64:
vim-enhanced-8.2.4006-1.1.amzn1.x86_64
vim-minimal-8.2.4006-1.1.amzn1.x86_64
vim-debuginfo-8.2.4006-1.1.amzn1.x86_64
vim-common-8.2.4006-1.1.amzn1.x86_64
Amazon Linux AMI: All versions
vim: before 8.2.4006-1.1
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*
- cpe:2.3:o:amazon_web_services:vim:*:*:*:*:*:amazon_linux_ami:*:*
https://alas.aws.amazon.com/ALAS-2022-1557.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Out-of-bounds write
EUVDB-ID: #VU63048
Risk: High
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2021-4019
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
vim-minimal-8.2.4006-1.1.amzn1.i686
vim-enhanced-8.2.4006-1.1.amzn1.i686
vim-common-8.2.4006-1.1.amzn1.i686
vim-debuginfo-8.2.4006-1.1.amzn1.i686
noarch:
vim-data-8.2.4006-1.1.amzn1.noarch
vim-filesystem-8.2.4006-1.1.amzn1.noarch
src:
vim-8.2.4006-1.1.amzn1.src
x86_64:
vim-enhanced-8.2.4006-1.1.amzn1.x86_64
vim-minimal-8.2.4006-1.1.amzn1.x86_64
vim-debuginfo-8.2.4006-1.1.amzn1.x86_64
vim-common-8.2.4006-1.1.amzn1.x86_64
Amazon Linux AMI: All versions
vim: before 8.2.4006-1.1
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*
- cpe:2.3:o:amazon_web_services:vim:*:*:*:*:*:amazon_linux_ami:*:*
https://alas.aws.amazon.com/ALAS-2022-1557.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Use-after-free
EUVDB-ID: #VU60795
Risk: High
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2021-4069
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error. A remote attacker can trick the victim to open a specially crafted file, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
vim-minimal-8.2.4006-1.1.amzn1.i686
vim-enhanced-8.2.4006-1.1.amzn1.i686
vim-common-8.2.4006-1.1.amzn1.i686
vim-debuginfo-8.2.4006-1.1.amzn1.i686
noarch:
vim-data-8.2.4006-1.1.amzn1.noarch
vim-filesystem-8.2.4006-1.1.amzn1.noarch
src:
vim-8.2.4006-1.1.amzn1.src
x86_64:
vim-enhanced-8.2.4006-1.1.amzn1.x86_64
vim-minimal-8.2.4006-1.1.amzn1.x86_64
vim-debuginfo-8.2.4006-1.1.amzn1.x86_64
vim-common-8.2.4006-1.1.amzn1.x86_64
Amazon Linux AMI: All versions
vim: before 8.2.4006-1.1
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*
- cpe:2.3:o:amazon_web_services:vim:*:*:*:*:*:amazon_linux_ami:*:*
https://alas.aws.amazon.com/ALAS-2022-1557.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Heap-based buffer overflow
EUVDB-ID: #VU60794
Risk: High
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2021-4136
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error. A remote attacker can trick the victim to open a specially crafted file, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
vim-minimal-8.2.4006-1.1.amzn1.i686
vim-enhanced-8.2.4006-1.1.amzn1.i686
vim-common-8.2.4006-1.1.amzn1.i686
vim-debuginfo-8.2.4006-1.1.amzn1.i686
noarch:
vim-data-8.2.4006-1.1.amzn1.noarch
vim-filesystem-8.2.4006-1.1.amzn1.noarch
src:
vim-8.2.4006-1.1.amzn1.src
x86_64:
vim-enhanced-8.2.4006-1.1.amzn1.x86_64
vim-minimal-8.2.4006-1.1.amzn1.x86_64
vim-debuginfo-8.2.4006-1.1.amzn1.x86_64
vim-common-8.2.4006-1.1.amzn1.x86_64
Amazon Linux AMI: All versions
vim: before 8.2.4006-1.1
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*
- cpe:2.3:o:amazon_web_services:vim:*:*:*:*:*:amazon_linux_ami:*:*
https://alas.aws.amazon.com/ALAS-2022-1557.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Out-of-bounds read
EUVDB-ID: #VU60793
Risk: Low
CVSSv4.0: 0.2 [CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-4166
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to crash the application.
The vulnerability exists due to a boundary condition. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger out-of-bounds read error and crash the application.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
vim-minimal-8.2.4006-1.1.amzn1.i686
vim-enhanced-8.2.4006-1.1.amzn1.i686
vim-common-8.2.4006-1.1.amzn1.i686
vim-debuginfo-8.2.4006-1.1.amzn1.i686
noarch:
vim-data-8.2.4006-1.1.amzn1.noarch
vim-filesystem-8.2.4006-1.1.amzn1.noarch
src:
vim-8.2.4006-1.1.amzn1.src
x86_64:
vim-enhanced-8.2.4006-1.1.amzn1.x86_64
vim-minimal-8.2.4006-1.1.amzn1.x86_64
vim-debuginfo-8.2.4006-1.1.amzn1.x86_64
vim-common-8.2.4006-1.1.amzn1.x86_64
Amazon Linux AMI: All versions
vim: before 8.2.4006-1.1
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*
- cpe:2.3:o:amazon_web_services:vim:*:*:*:*:*:amazon_linux_ami:*:*
https://alas.aws.amazon.com/ALAS-2022-1557.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Double Free
EUVDB-ID: #VU60792
Risk: High
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2021-4173
CWE-ID:
CWE-415 - Double Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error. A remote attacker can trick the victim to open a specially crafted file, trigger double free error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
vim-minimal-8.2.4006-1.1.amzn1.i686
vim-enhanced-8.2.4006-1.1.amzn1.i686
vim-common-8.2.4006-1.1.amzn1.i686
vim-debuginfo-8.2.4006-1.1.amzn1.i686
noarch:
vim-data-8.2.4006-1.1.amzn1.noarch
vim-filesystem-8.2.4006-1.1.amzn1.noarch
src:
vim-8.2.4006-1.1.amzn1.src
x86_64:
vim-enhanced-8.2.4006-1.1.amzn1.x86_64
vim-minimal-8.2.4006-1.1.amzn1.x86_64
vim-debuginfo-8.2.4006-1.1.amzn1.x86_64
vim-common-8.2.4006-1.1.amzn1.x86_64
Amazon Linux AMI: All versions
vim: before 8.2.4006-1.1
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*
- cpe:2.3:o:amazon_web_services:vim:*:*:*:*:*:amazon_linux_ami:*:*
https://alas.aws.amazon.com/ALAS-2022-1557.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Double Free
EUVDB-ID: #VU60791
Risk: High
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2021-4187
CWE-ID:
CWE-415 - Double Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error. A remote attacker can trick the victim to open a specially crafted file, trigger double free error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
vim-minimal-8.2.4006-1.1.amzn1.i686
vim-enhanced-8.2.4006-1.1.amzn1.i686
vim-common-8.2.4006-1.1.amzn1.i686
vim-debuginfo-8.2.4006-1.1.amzn1.i686
noarch:
vim-data-8.2.4006-1.1.amzn1.noarch
vim-filesystem-8.2.4006-1.1.amzn1.noarch
src:
vim-8.2.4006-1.1.amzn1.src
x86_64:
vim-enhanced-8.2.4006-1.1.amzn1.x86_64
vim-minimal-8.2.4006-1.1.amzn1.x86_64
vim-debuginfo-8.2.4006-1.1.amzn1.x86_64
vim-common-8.2.4006-1.1.amzn1.x86_64
Amazon Linux AMI: All versions
vim: before 8.2.4006-1.1
CPE2.3- cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*
- cpe:2.3:o:amazon_web_services:vim:*:*:*:*:*:amazon_linux_ami:*:*
https://alas.aws.amazon.com/ALAS-2022-1557.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
