DSA-4487-1 neovim -- neovimID: oval:org.secpod.oval:def:57796 | Date: (C)2019-08-07 (M)2022-10-10 |
Class: PATCH | Family: unix |
User "Arminius" discovered a vulnerability in Vim, an enhanced version of the standard UNIX editor Vi , which also affected the Neovim fork, an extensible editor focused on modern code and features: Editors typically provide a way to embed editor configuration commands which are executed once a file is opened, while harmful commands are filtered by a sandbox mechanism. It was discovered that the "source" command was not filtered, allowing shell command execution with a carefully crafted file opened in Neovim.