[Forgot Password]
Login  Register Subscribe

23631

 
 

126995

 
 

100182

 
 

909

 
 

80198

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CVE
view XML

CVE-2008-4677

Date: (C)2008-10-22   (M)2017-08-08 


autoload/netrw.vim (aka the Netrw Plugin) 109, 131, and other versions before 133k for Vim 7.1.266, other 7.1 versions, and 7.2 stores credentials for an FTP session, and sends those credentials when attempting to establish subsequent FTP sessions to servers on different hosts, which allows remote FTP servers to obtain sensitive information in opportunistic circumstances by logging usernames and passwords. NOTE: the upstream vendor disputes a vector involving different ports on the same host, stating "I'm assuming that they're using the same id and password on that unchanged hostname, deliberately."

CVSS Score: 4.3Access Vector: NETWORK
Exploit Score: 8.6Access Complexity: MEDIUM
Impact Score: 2.9Authentication: NONE
 Confidentiality: PARTIAL
 Integrity: NONE
 Availability: NONE





Reference:
http://www.securityfocus.com/archive/1/495432
http://www.securityfocus.com/archive/1/495436
BID-30670
SECUNIA-31464
SECUNIA-34418
ADV-2008-2379
MDVSA-2008:236
SUSE-SR:2009:007
http://www.openwall.com/lists/oss-security/2008/10/06/4
http://www.openwall.com/lists/oss-security/2008/10/16/2
http://www.openwall.com/lists/oss-security/2008/10/20/2
http://groups.google.com/group/vim_dev/browse_thread/thread/2f6fad581a037971/a5fcf4c4981d34e6?show_docid=a5fcf4c4981d34e6
http://www.rdancer.org/vulnerablevim-netrw-credentials-dis.html
https://bugzilla.redhat.com/show_bug.cgi?id=461750
vim-netrw-ftp-information-disclosure(44419)

CWE    1
CWE-255
OVAL    2
oval:org.secpod.oval:def:301320
oval:org.secpod.oval:def:301484

© 2013 SecPod Technologies