#VU74499 NULL pointer dereference in Vim - CVE-2023-1355


Vulnerability identifier: #VU74499

Vulnerability risk: Low

CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-1355

CWE-ID: CWE-476

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Vim
Client/Desktop applications / Software for system administration

Vendor: Vim.org

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in within the class_object_index() function in vim9class.c in Vim. A remote attacker can perform a denial of service (DoS) attack.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Vim: 9.0.0000 - 9.0.1401

External links
https://github.com/vim/vim/commit/d13dd30240e32071210f55b587182ff48757ea46
https://huntr.dev/bounties/4d0a9615-d438-4f5c-8dd6-aa22f4b716d9
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IE44W6WMMREYCW3GJHPSYP7NK2VT5NY6/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Dell RecoverPoint for Virtual Machines
Multiple vulnerabilities in Dell ObjectScale
Amazon Linux AMI update for vim
Dell EMC NetWorker vProxy update for third-party components
SUSE update for vim
Fedora 36 update for vim
Multiple vulnerabilities in Dell EMC VxRail Appliance
SUSE update for vim
Amazon Linux AMI update for vim
Denial of service in Vim