Vulnerability-Lookup

BDU:2019-03251

Vulnerability from fstec - Published: 05.06.2019

Title

Уязвимость библиотеки getchar.c текстового редактора Vim, связанная с отсутствием мер по нейтрализации специальных элементов, используемых в команде операционной системы, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании

Description

Уязвимость библиотеки getchar.c текстового редактора Vim связана с отсутствием фильтрации команды «!source», которая позволяет выполнять произвольные команды в операционной системе. Эксплуатация уязвимости позволяет нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании

Severity ?


                    
                      AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Vendor

ООО «РусБИТех-Астра», Red Hat Inc., Canonical Ltd., Сообщество свободного программного обеспечения, Novell Inc., Fedora Project, ООО «Ред Софт», АО «НТЦ ИТ РОСА»

Software Name

Astra Linux Special Edition (запись в едином реестре российских программ №369), Red Hat Enterprise Linux, Ubuntu, Debian GNU/Linux, OpenSUSE Leap, Fedora, vim, РЕД ОС (запись в едином реестре российских программ №3751), neovim, Astra Linux Special Edition для «Эльбрус» (запись в едином реестре российских программ №11156), ROSA Virtualization 3.0 (запись в едином реестре российских программ №21308)

Software Version

1.5 «Смоленск» (Astra Linux Special Edition), 6 (Red Hat Enterprise Linux), 7 (Red Hat Enterprise Linux), 16.04 LTS (Ubuntu), 9 (Debian GNU/Linux), 42.3 (OpenSUSE Leap), 18.04 LTS (Ubuntu), 18.10 (Ubuntu), 1.6 «Смоленск» (Astra Linux Special Edition), 29 (Fedora), 19.04 (Ubuntu), 8 (Red Hat Enterprise Linux), 15.0 (OpenSUSE Leap), 15.1 (OpenSUSE Leap), 30 (Fedora), 8 (Debian GNU/Linux), 10 (Debian GNU/Linux), до 8.1.1365 (vim), 7.4 Extended Update Support (Red Hat Enterprise Linux), 7.5 Extended Update Support (Red Hat Enterprise Linux), 7.1 МУРОМ (РЕД ОС), до 0.3.6 (neovim), 8.1 «Ленинград» (Astra Linux Special Edition для «Эльбрус»), 3.0 (ROSA Virtualization 3.0)

Possible Mitigations

Использование рекомендаций: Для vim и neovim: https://github.com/vim/vim/commit/53575521406739cf20bbe4e384d88e7dca11f040 https://github.com/neovim/neovim/pull/10082/commits/5e611f32841e746932fbcbea292ca502ed9e694b Для Astra Linux: https://wiki.astralinux.ru/pages/viewpage.action?pageId=57444186 https://wiki.astralinux.ru/pages/viewpage.action?pageId=41192827 https://wiki.astralinux.ru/astra-linux-se15-bulletin-20201201SE15 Для программных продуктов Red Hat Inc.: https://access.redhat.com/errata/RHSA-2019:1619 Для Fedora: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2BMDSHTF754TITC6AQJPCS5IRIDMMIM7/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TRIRBC2YRGKPAWVRMZS4SZTGGCVRVZPR/ Для Ubuntu: https://usn.ubuntu.com/4016-1/ https://usn.ubuntu.com/4016-2/ Для Debian GNU/Linux: https://www.debian.org/security/2019/dsa-4467 https://www.debian.org/security/2019/dsa-4487 Для программных продуктов Novell Inc.: https://lists.opensuse.org/opensuse-security-announce/2019-06/msg00031.html https://lists.opensuse.org/opensuse-security-announce/2019-06/msg00036.html https://lists.opensuse.org/opensuse-security-announce/2019-06/msg00037.html https://lists.opensuse.org/opensuse-security-announce/2019-07/msg00034.html https://lists.opensuse.org/opensuse-security-announce/2019-07/msg00050.html https://lists.opensuse.org/opensuse-security-announce/2019-07/msg00050.html Для ООО "РЕД СОФТ" РЕД ОС 7.1 МУРОМ: Обновление vim и neovim до актуальной версии Для программной системы управления средой виртуализации с подсистемой безагентного резервного копирования виртуальных машин «ROSA Virtualization 3.0»: https://abf.rosa.ru/advisories/ROSA-SA-2025-2720

Reference

https://github.com/vim/vim/commit/53575521406739cf20bbe4e384d88e7dca11f040 https://github.com/neovim/neovim/pull/10082/commits/5e611f32841e746932fbcbea292ca502ed9e694b https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md https://access.redhat.com/errata/RHSA-2019:1619 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2BMDSHTF754TITC6AQJPCS5IRIDMMIM7/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TRIRBC2YRGKPAWVRMZS4SZTGGCVRVZPR/ https://usn.ubuntu.com/4016-1/ https://usn.ubuntu.com/4016-2/ https://www.debian.org/security/2019/dsa-4467 https://www.debian.org/security/2019/dsa-4487 https://wiki.astralinux.ru/pages/viewpage.action?pageId=57444186 https://lists.opensuse.org/opensuse-security-announce/2019-06/msg00031.html https://lists.opensuse.org/opensuse-security-announce/2019-06/msg00036.html https://lists.opensuse.org/opensuse-security-announce/2019-06/msg00037.html https://lists.opensuse.org/opensuse-security-announce/2019-07/msg00034.html https://lists.opensuse.org/opensuse-security-announce/2019-07/msg00050.html https://lists.opensuse.org/opensuse-security-announce/2019-07/msg00050.html https://wiki.astralinux.ru/pages/viewpage.action?pageId=41192827 https://wiki.astralinux.ru/astra-linux-se15-bulletin-20201201SE15 https://abf.rosa.ru/advisories/ROSA-SA-2025-2720

CWE

CWE-78

JSON

To clipboard

{
  "CVSS 2.0": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
  "CVSS 3.0": "AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb, Red Hat Inc., Canonical Ltd., \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f, Novell Inc., Fedora Project, \u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb, \u0410\u041e \u00ab\u041d\u0422\u0426 \u0418\u0422 \u0420\u041e\u0421\u0410\u00bb",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "1.5 \u00ab\u0421\u043c\u043e\u043b\u0435\u043d\u0441\u043a\u00bb (Astra Linux Special Edition), 6 (Red Hat Enterprise Linux), 7 (Red Hat Enterprise Linux), 16.04 LTS (Ubuntu), 9 (Debian GNU/Linux), 42.3 (OpenSUSE Leap), 18.04 LTS (Ubuntu), 18.10 (Ubuntu), 1.6 \u00ab\u0421\u043c\u043e\u043b\u0435\u043d\u0441\u043a\u00bb (Astra Linux Special Edition), 29 (Fedora), 19.04 (Ubuntu), 8 (Red Hat Enterprise Linux), 15.0 (OpenSUSE Leap), 15.1 (OpenSUSE Leap), 30 (Fedora), 8 (Debian GNU/Linux), 10 (Debian GNU/Linux), \u0434\u043e 8.1.1365 (vim), 7.4 Extended Update Support (Red Hat Enterprise Linux), 7.5 Extended Update Support (Red Hat Enterprise Linux), 7.1 \u041c\u0423\u0420\u041e\u041c (\u0420\u0415\u0414 \u041e\u0421), \u0434\u043e 0.3.6 (neovim), 8.1 \u00ab\u041b\u0435\u043d\u0438\u043d\u0433\u0440\u0430\u0434\u00bb (Astra Linux Special Edition \u0434\u043b\u044f \u00ab\u042d\u043b\u044c\u0431\u0440\u0443\u0441\u00bb), 3.0 (ROSA Virtualization 3.0)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\u0414\u043b\u044f vim \u0438 neovim:\nhttps://github.com/vim/vim/commit/53575521406739cf20bbe4e384d88e7dca11f040\nhttps://github.com/neovim/neovim/pull/10082/commits/5e611f32841e746932fbcbea292ca502ed9e694b\n\n\u0414\u043b\u044f Astra Linux:\nhttps://wiki.astralinux.ru/pages/viewpage.action?pageId=57444186\nhttps://wiki.astralinux.ru/pages/viewpage.action?pageId=41192827\nhttps://wiki.astralinux.ru/astra-linux-se15-bulletin-20201201SE15\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Red Hat Inc.:\nhttps://access.redhat.com/errata/RHSA-2019:1619\n\n\u0414\u043b\u044f Fedora:\nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2BMDSHTF754TITC6AQJPCS5IRIDMMIM7/\nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TRIRBC2YRGKPAWVRMZS4SZTGGCVRVZPR/\n\n\u0414\u043b\u044f Ubuntu:\nhttps://usn.ubuntu.com/4016-1/\nhttps://usn.ubuntu.com/4016-2/\n\n\u0414\u043b\u044f Debian GNU/Linux:\nhttps://www.debian.org/security/2019/dsa-4467\nhttps://www.debian.org/security/2019/dsa-4487\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Novell Inc.:\nhttps://lists.opensuse.org/opensuse-security-announce/2019-06/msg00031.html\nhttps://lists.opensuse.org/opensuse-security-announce/2019-06/msg00036.html\nhttps://lists.opensuse.org/opensuse-security-announce/2019-06/msg00037.html\nhttps://lists.opensuse.org/opensuse-security-announce/2019-07/msg00034.html\nhttps://lists.opensuse.org/opensuse-security-announce/2019-07/msg00050.html\nhttps://lists.opensuse.org/opensuse-security-announce/2019-07/msg00050.html\n\n\u0414\u043b\u044f \u041e\u041e\u041e \"\u0420\u0415\u0414 \u0421\u041e\u0424\u0422\" \u0420\u0415\u0414 \u041e\u0421 7.1 \u041c\u0423\u0420\u041e\u041c:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 vim \u0438 neovim \u0434\u043e \u0430\u043a\u0442\u0443\u0430\u043b\u044c\u043d\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0439 \u0441\u0438\u0441\u0442\u0435\u043c\u044b \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u0441\u0440\u0435\u0434\u043e\u0439 \u0432\u0438\u0440\u0442\u0443\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438 \u0441 \u043f\u043e\u0434\u0441\u0438\u0441\u0442\u0435\u043c\u043e\u0439 \u0431\u0435\u0437\u0430\u0433\u0435\u043d\u0442\u043d\u043e\u0433\u043e \u0440\u0435\u0437\u0435\u0440\u0432\u043d\u043e\u0433\u043e \u043a\u043e\u043f\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u0432\u0438\u0440\u0442\u0443\u0430\u043b\u044c\u043d\u044b\u0445 \u043c\u0430\u0448\u0438\u043d \u00abROSA Virtualization 3.0\u00bb: https://abf.rosa.ru/advisories/ROSA-SA-2025-2720",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "05.06.2019",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "19.03.2025",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "19.09.2019",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2019-03251",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2019-12735",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Astra Linux Special Edition (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), Red Hat Enterprise Linux, Ubuntu, Debian GNU/Linux, OpenSUSE Leap, Fedora, vim, \u0420\u0415\u0414 \u041e\u0421 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), neovim, Astra Linux Special Edition \u0434\u043b\u044f \u00ab\u042d\u043b\u044c\u0431\u0440\u0443\u0441\u00bb (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u211611156), ROSA Virtualization 3.0 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u211621308)",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 1.5 \u00ab\u0421\u043c\u043e\u043b\u0435\u043d\u0441\u043a\u00bb  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), Red Hat Inc. Red Hat Enterprise Linux 6 , Red Hat Inc. Red Hat Enterprise Linux 7 , Canonical Ltd. Ubuntu 16.04 LTS , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 9 , Novell Inc. OpenSUSE Leap 42.3 , Canonical Ltd. Ubuntu 18.04 LTS , Canonical Ltd. Ubuntu 18.10 , \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 1.6 \u00ab\u0421\u043c\u043e\u043b\u0435\u043d\u0441\u043a\u00bb  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), Fedora Project Fedora 29 , Canonical Ltd. Ubuntu 19.04 , Red Hat Inc. Red Hat Enterprise Linux 8 , Novell Inc. OpenSUSE Leap 15.0 , Novell Inc. OpenSUSE Leap 15.1 , Fedora Project Fedora 30 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 8 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 10 , Red Hat Inc. Red Hat Enterprise Linux 7.4 Extended Update Support , Red Hat Inc. Red Hat Enterprise Linux 7.5 Extended Update Support , \u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb \u0420\u0415\u0414 \u041e\u0421 7.1 \u041c\u0423\u0420\u041e\u041c  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition \u0434\u043b\u044f \u00ab\u042d\u043b\u044c\u0431\u0440\u0443\u0441\u00bb 8.1 \u00ab\u041b\u0435\u043d\u0438\u043d\u0433\u0440\u0430\u0434\u00bb  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u211611156), \u0410\u041e \u00ab\u041d\u0422\u0426 \u0418\u0422 \u0420\u041e\u0421\u0410\u00bb ROSA Virtualization 3.0 3.0  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u211621308)",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0438 getchar.c \u0442\u0435\u043a\u0441\u0442\u043e\u0432\u043e\u0433\u043e \u0440\u0435\u0434\u0430\u043a\u0442\u043e\u0440\u0430 Vim, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043e\u0442\u0441\u0443\u0442\u0441\u0442\u0432\u0438\u0435\u043c \u043c\u0435\u0440 \u043f\u043e \u043d\u0435\u0439\u0442\u0440\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438 \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u044b\u0445 \u044d\u043b\u0435\u043c\u0435\u043d\u0442\u043e\u0432, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u043c\u044b\u0445 \u0432 \u043a\u043e\u043c\u0430\u043d\u0434\u0435 \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u043e\u0439 \u0441\u0438\u0441\u0442\u0435\u043c\u044b, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u044b\u043c \u0434\u0430\u043d\u043d\u044b\u043c, \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u044c \u0438\u0445 \u0446\u0435\u043b\u043e\u0441\u0442\u043d\u043e\u0441\u0442\u044c, \u0430 \u0442\u0430\u043a\u0436\u0435 \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0432 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u0435",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u043f\u0440\u0438\u043d\u044f\u0442\u0438\u0435 \u043c\u0435\u0440 \u043f\u043e \u043d\u0435\u0439\u0442\u0440\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438 \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u044b\u0445 \u044d\u043b\u0435\u043c\u0435\u043d\u0442\u043e\u0432, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u043c\u044b\u0445 \u0432 \u043a\u043e\u043c\u0430\u043d\u0434\u0435 \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u043e\u0439 \u0441\u0438\u0441\u0442\u0435\u043c\u044b (\u0412\u043d\u0435\u0434\u0440\u0435\u043d\u0438\u0435 \u0432 \u043a\u043e\u043c\u0430\u043d\u0434\u0443 \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u043e\u0439 \u0441\u0438\u0441\u0442\u0435\u043c\u044b) (CWE-78)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0438 getchar.c \u0442\u0435\u043a\u0441\u0442\u043e\u0432\u043e\u0433\u043e \u0440\u0435\u0434\u0430\u043a\u0442\u043e\u0440\u0430 Vim \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043e\u0442\u0441\u0443\u0442\u0441\u0442\u0432\u0438\u0435\u043c \u0444\u0438\u043b\u044c\u0442\u0440\u0430\u0446\u0438\u0438 \u043a\u043e\u043c\u0430\u043d\u0434\u044b \u00ab!source\u00bb, \u043a\u043e\u0442\u043e\u0440\u0430\u044f \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0435 \u043a\u043e\u043c\u0430\u043d\u0434\u044b \u0432 \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u043e\u0439 \u0441\u0438\u0441\u0442\u0435\u043c\u0435. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u044b\u043c \u0434\u0430\u043d\u043d\u044b\u043c, \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u044c \u0438\u0445 \u0446\u0435\u043b\u043e\u0441\u0442\u043d\u043e\u0441\u0442\u044c, \u0430 \u0442\u0430\u043a\u0436\u0435 \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": "-",
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u0417\u043b\u043e\u0443\u043f\u043e\u0442\u0440\u0435\u0431\u043b\u0435\u043d\u0438\u0435 \u0444\u0443\u043d\u043a\u0446\u0438\u043e\u043d\u0430\u043b\u043e\u043c",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://github.com/vim/vim/commit/53575521406739cf20bbe4e384d88e7dca11f040\nhttps://github.com/neovim/neovim/pull/10082/commits/5e611f32841e746932fbcbea292ca502ed9e694b\nhttps://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md\nhttps://access.redhat.com/errata/RHSA-2019:1619\nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2BMDSHTF754TITC6AQJPCS5IRIDMMIM7/\nhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TRIRBC2YRGKPAWVRMZS4SZTGGCVRVZPR/\nhttps://usn.ubuntu.com/4016-1/\nhttps://usn.ubuntu.com/4016-2/\nhttps://www.debian.org/security/2019/dsa-4467\nhttps://www.debian.org/security/2019/dsa-4487\nhttps://wiki.astralinux.ru/pages/viewpage.action?pageId=57444186\nhttps://lists.opensuse.org/opensuse-security-announce/2019-06/msg00031.html\nhttps://lists.opensuse.org/opensuse-security-announce/2019-06/msg00036.html\nhttps://lists.opensuse.org/opensuse-security-announce/2019-06/msg00037.html\nhttps://lists.opensuse.org/opensuse-security-announce/2019-07/msg00034.html\nhttps://lists.opensuse.org/opensuse-security-announce/2019-07/msg00050.html\nhttps://lists.opensuse.org/opensuse-security-announce/2019-07/msg00050.html\nhttps://wiki.astralinux.ru/pages/viewpage.action?pageId=41192827\nhttps://wiki.astralinux.ru/astra-linux-se15-bulletin-20201201SE15\nhttps://abf.rosa.ru/advisories/ROSA-SA-2025-2720",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-78",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,2)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 8,6)"
}

CVE-2019-12735 (GCVE-0-2019-12735)

Vulnerability from cvelistv5 – Published: 2019-06-05 13:07 – Updated: 2025-11-11 16:50

Summary

getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://github.com/numirias/security/blob/master/…
	https://github.com/vim/vim/commit/53575521406739c…
	https://github.com/neovim/neovim/pull/10082
	https://bugs.debian.org/930020
	https://bugs.debian.org/930024
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
	https://usn.ubuntu.com/4016-1/	vendor-advisory
	https://usn.ubuntu.com/4016-2/	vendor-advisory
	http://www.securityfocus.com/bid/108724	vdb-entry
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
	http://lists.opensuse.org/opensuse-security-annou…	vendor-advisory
	http://lists.opensuse.org/opensuse-security-annou…	vendor-advisory
	http://lists.opensuse.org/opensuse-security-annou…	vendor-advisory
	https://www.debian.org/security/2019/dsa-4467	vendor-advisory
	https://seclists.org/bugtraq/2019/Jun/33	mailing-list
	https://support.f5.com/csp/article/K93144355
	https://access.redhat.com/errata/RHSA-2019:1619	vendor-advisory
	https://access.redhat.com/errata/RHSA-2019:1774	vendor-advisory
	https://access.redhat.com/errata/RHSA-2019:1793	vendor-advisory
	http://lists.opensuse.org/opensuse-security-annou…	vendor-advisory
	http://lists.opensuse.org/opensuse-security-annou…	vendor-advisory
	https://www.debian.org/security/2019/dsa-4487	vendor-advisory
	https://seclists.org/bugtraq/2019/Jul/39	mailing-list
	https://access.redhat.com/errata/RHSA-2019:1947	vendor-advisory
	https://lists.debian.org/debian-lts-announce/2019…	mailing-list
	http://lists.opensuse.org/opensuse-security-annou…	vendor-advisory
	https://support.f5.com/csp/article/K93144355?utm_…
	https://security.gentoo.org/glsa/202003-04	vendor-advisory
	https://www.exploit-db.com/exploits/46973

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T23:32:54.206Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/vim/vim/commit/53575521406739cf20bbe4e384d88e7dca11f040"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/neovim/neovim/pull/10082"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugs.debian.org/930020"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugs.debian.org/930024"
          },
          {
            "name": "FEDORA-2019-d79f89346c",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2BMDSHTF754TITC6AQJPCS5IRIDMMIM7/"
          },
          {
            "name": "USN-4016-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4016-1/"
          },
          {
            "name": "USN-4016-2",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4016-2/"
          },
          {
            "name": "108724",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/108724"
          },
          {
            "name": "FEDORA-2019-dcd49378b8",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TRIRBC2YRGKPAWVRMZS4SZTGGCVRVZPR/"
          },
          {
            "name": "openSUSE-SU-2019:1551",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00031.html"
          },
          {
            "name": "openSUSE-SU-2019:1562",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00036.html"
          },
          {
            "name": "openSUSE-SU-2019:1561",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00037.html"
          },
          {
            "name": "DSA-4467",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2019/dsa-4467"
          },
          {
            "name": "20190624 [SECURITY] [DSA 4467-2] vim regression update",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/Jun/33"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.f5.com/csp/article/K93144355"
          },
          {
            "name": "RHSA-2019:1619",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1619"
          },
          {
            "name": "RHSA-2019:1774",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1774"
          },
          {
            "name": "RHSA-2019:1793",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1793"
          },
          {
            "name": "openSUSE-SU-2019:1759",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00034.html"
          },
          {
            "name": "openSUSE-SU-2019:1796",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00050.html"
          },
          {
            "name": "DSA-4487",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2019/dsa-4487"
          },
          {
            "name": "20190724 [SECURITY] [DSA 4487-1] neovim security update",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/Jul/39"
          },
          {
            "name": "RHSA-2019:1947",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1947"
          },
          {
            "name": "[debian-lts-announce] 20190803 [SECURITY] [DLA 1871-1] vim security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00003.html"
          },
          {
            "name": "openSUSE-SU-2019:1997",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00075.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.f5.com/csp/article/K93144355?utm_source=f5support\u0026amp%3Butm_medium=RSS"
          },
          {
            "name": "GLSA-202003-04",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202003-04"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-11T16:50:16.838Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md"
        },
        {
          "url": "https://github.com/vim/vim/commit/53575521406739cf20bbe4e384d88e7dca11f040"
        },
        {
          "url": "https://github.com/neovim/neovim/pull/10082"
        },
        {
          "url": "https://bugs.debian.org/930020"
        },
        {
          "url": "https://bugs.debian.org/930024"
        },
        {
          "name": "FEDORA-2019-d79f89346c",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2BMDSHTF754TITC6AQJPCS5IRIDMMIM7/"
        },
        {
          "name": "USN-4016-1",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://usn.ubuntu.com/4016-1/"
        },
        {
          "name": "USN-4016-2",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://usn.ubuntu.com/4016-2/"
        },
        {
          "name": "108724",
          "tags": [
            "vdb-entry"
          ],
          "url": "http://www.securityfocus.com/bid/108724"
        },
        {
          "name": "FEDORA-2019-dcd49378b8",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TRIRBC2YRGKPAWVRMZS4SZTGGCVRVZPR/"
        },
        {
          "name": "openSUSE-SU-2019:1551",
          "tags": [
            "vendor-advisory"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00031.html"
        },
        {
          "name": "openSUSE-SU-2019:1562",
          "tags": [
            "vendor-advisory"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00036.html"
        },
        {
          "name": "openSUSE-SU-2019:1561",
          "tags": [
            "vendor-advisory"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00037.html"
        },
        {
          "name": "DSA-4467",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2019/dsa-4467"
        },
        {
          "name": "20190624 [SECURITY] [DSA 4467-2] vim regression update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://seclists.org/bugtraq/2019/Jun/33"
        },
        {
          "url": "https://support.f5.com/csp/article/K93144355"
        },
        {
          "name": "RHSA-2019:1619",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1619"
        },
        {
          "name": "RHSA-2019:1774",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1774"
        },
        {
          "name": "RHSA-2019:1793",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1793"
        },
        {
          "name": "openSUSE-SU-2019:1759",
          "tags": [
            "vendor-advisory"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00034.html"
        },
        {
          "name": "openSUSE-SU-2019:1796",
          "tags": [
            "vendor-advisory"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00050.html"
        },
        {
          "name": "DSA-4487",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2019/dsa-4487"
        },
        {
          "name": "20190724 [SECURITY] [DSA 4487-1] neovim security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://seclists.org/bugtraq/2019/Jul/39"
        },
        {
          "name": "RHSA-2019:1947",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1947"
        },
        {
          "name": "[debian-lts-announce] 20190803 [SECURITY] [DLA 1871-1] vim security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00003.html"
        },
        {
          "name": "openSUSE-SU-2019:1997",
          "tags": [
            "vendor-advisory"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00075.html"
        },
        {
          "url": "https://support.f5.com/csp/article/K93144355?utm_source=f5support\u0026amp;utm_medium=RSS"
        },
        {
          "name": "GLSA-202003-04",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/202003-04"
        },
        {
          "url": "https://www.exploit-db.com/exploits/46973"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2019-12735",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md",
              "refsource": "MISC",
              "url": "https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md"
            },
            {
              "name": "https://github.com/vim/vim/commit/53575521406739cf20bbe4e384d88e7dca11f040",
              "refsource": "MISC",
              "url": "https://github.com/vim/vim/commit/53575521406739cf20bbe4e384d88e7dca11f040"
            },
            {
              "name": "https://github.com/neovim/neovim/pull/10082",
              "refsource": "MISC",
              "url": "https://github.com/neovim/neovim/pull/10082"
            },
            {
              "name": "https://bugs.debian.org/930020",
              "refsource": "MISC",
              "url": "https://bugs.debian.org/930020"
            },
            {
              "name": "https://bugs.debian.org/930024",
              "refsource": "MISC",
              "url": "https://bugs.debian.org/930024"
            },
            {
              "name": "FEDORA-2019-d79f89346c",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2BMDSHTF754TITC6AQJPCS5IRIDMMIM7/"
            },
            {
              "name": "USN-4016-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/4016-1/"
            },
            {
              "name": "USN-4016-2",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/4016-2/"
            },
            {
              "name": "108724",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/108724"
            },
            {
              "name": "FEDORA-2019-dcd49378b8",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TRIRBC2YRGKPAWVRMZS4SZTGGCVRVZPR/"
            },
            {
              "name": "openSUSE-SU-2019:1551",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00031.html"
            },
            {
              "name": "openSUSE-SU-2019:1562",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00036.html"
            },
            {
              "name": "openSUSE-SU-2019:1561",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00037.html"
            },
            {
              "name": "DSA-4467",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2019/dsa-4467"
            },
            {
              "name": "20190624 [SECURITY] [DSA 4467-2] vim regression update",
              "refsource": "BUGTRAQ",
              "url": "https://seclists.org/bugtraq/2019/Jun/33"
            },
            {
              "name": "https://support.f5.com/csp/article/K93144355",
              "refsource": "CONFIRM",
              "url": "https://support.f5.com/csp/article/K93144355"
            },
            {
              "name": "RHSA-2019:1619",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1619"
            },
            {
              "name": "RHSA-2019:1774",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1774"
            },
            {
              "name": "RHSA-2019:1793",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1793"
            },
            {
              "name": "openSUSE-SU-2019:1759",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00034.html"
            },
            {
              "name": "openSUSE-SU-2019:1796",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00050.html"
            },
            {
              "name": "DSA-4487",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2019/dsa-4487"
            },
            {
              "name": "20190724 [SECURITY] [DSA 4487-1] neovim security update",
              "refsource": "BUGTRAQ",
              "url": "https://seclists.org/bugtraq/2019/Jul/39"
            },
            {
              "name": "RHSA-2019:1947",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1947"
            },
            {
              "name": "[debian-lts-announce] 20190803 [SECURITY] [DLA 1871-1] vim security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00003.html"
            },
            {
              "name": "openSUSE-SU-2019:1997",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00075.html"
            },
            {
              "name": "https://support.f5.com/csp/article/K93144355?utm_source=f5support\u0026amp;utm_medium=RSS",
              "refsource": "CONFIRM",
              "url": "https://support.f5.com/csp/article/K93144355?utm_source=f5support\u0026amp;utm_medium=RSS"
            },
            {
              "name": "GLSA-202003-04",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202003-04"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2019-12735",
    "datePublished": "2019-06-05T13:07:48.000Z",
    "dateReserved": "2019-06-05T00:00:00.000Z",
    "dateUpdated": "2025-11-11T16:50:16.838Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

BDU:2019-03251

CVE-2019-12735 (GCVE-0-2019-12735)

Tags

Sightings

Nomenclature