[Forgot Password]
Login  Register Subscribe

23631

 
 

115083

 
 

97153

 
 

909

 
 

78730

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CVE
view XML

CVE-2008-4677

Date: (C)2008-10-22   (M)2017-08-08
 
CVSS Score: 4.3Access Vector: NETWORK
Exploitability Subscore: 8.6Access Complexity: MEDIUM
Impact Subscore: 2.9Authentication: NONE
 Confidentiality: PARTIAL
 Integrity: NONE
 Availability: NONE











autoload/netrw.vim (aka the Netrw Plugin) 109, 131, and other versions before 133k for Vim 7.1.266, other 7.1 versions, and 7.2 stores credentials for an FTP session, and sends those credentials when attempting to establish subsequent FTP sessions to servers on different hosts, which allows remote FTP servers to obtain sensitive information in opportunistic circumstances by logging usernames and passwords. NOTE: the upstream vendor disputes a vector involving different ports on the same host, stating "I'm assuming that they're using the same id and password on that unchanged hostname, deliberately."

Reference:
http://www.securityfocus.com/archive/1/495432
http://www.securityfocus.com/archive/1/495436
BID-30670
SECUNIA-31464
SECUNIA-34418
ADV-2008-2379
MDVSA-2008:236
SUSE-SR:2009:007
http://www.openwall.com/lists/oss-security/2008/10/06/4
http://www.openwall.com/lists/oss-security/2008/10/16/2
http://www.openwall.com/lists/oss-security/2008/10/20/2
http://groups.google.com/group/vim_dev/browse_thread/thread/2f6fad581a037971/a5fcf4c4981d34e6?show_docid=a5fcf4c4981d34e6
http://www.rdancer.org/vulnerablevim-netrw-credentials-dis.html
https://bugzilla.redhat.com/show_bug.cgi?id=461750
vim-netrw-ftp-information-disclosure(44419)

CWE    1
CWE-255
OVAL    2
oval:org.secpod.oval:def:301320
oval:org.secpod.oval:def:301484

© 2013 SecPod Technologies