{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-48706", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-11-17T19:43:37.554Z", "datePublished": "2023-11-22T22:03:39.503Z", "dateUpdated": "2025-02-13T17:18:19.931Z"}, "containers": {"cna": {"title": "Vim has heap-use-after-free at /src/charset.c:1770:12 in skipwhite", "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "lang": "en", "description": "CWE-416: Use After Free", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 3.6, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/vim/vim/security/advisories/GHSA-c8qm-x72m-q53q", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vim/vim/security/advisories/GHSA-c8qm-x72m-q53q"}, {"name": "https://github.com/vim/vim/pull/13552", "tags": ["x_refsource_MISC"], "url": "https://github.com/vim/vim/pull/13552"}, {"name": "https://github.com/vim/vim/commit/26c11c56888d01e298cd8044caf860f3c26f57bb", "tags": ["x_refsource_MISC"], "url": "https://github.com/vim/vim/commit/26c11c56888d01e298cd8044caf860f3c26f57bb"}, {"name": "https://github.com/gandalf4a/crash_report/blob/main/vim/vim_huaf", "tags": ["x_refsource_MISC"], "url": "https://github.com/gandalf4a/crash_report/blob/main/vim/vim_huaf"}, {"url": "http://www.openwall.com/lists/oss-security/2023/11/22/3"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DNMFS3IH74KEMMESOA3EOB6MZ56TWGFF/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IVA7K73WHQH4KVFDJQ7ELIUD2WK5ZT5E/"}, {"url": "https://security.netapp.com/advisory/ntap-20240105-0001/"}], "affected": [{"vendor": "vim", "product": "vim", "versions": [{"version": "< 9.0.2121", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-05T18:06:19.220Z"}, "descriptions": [{"lang": "en", "value": "Vim is a UNIX editor that, prior to version 9.0.2121, has a heap-use-after-free vulnerability. When executing a `:s` command for the very first time and using a sub-replace-special atom inside the substitution part, it is possible that the recursive `:s` call causes free-ing of memory which may later then be accessed by the initial `:s` command. The user must intentionally execute the payload and the whole process is a bit tricky to do since it seems to work only reliably for the very first :s command. It may also cause a crash of Vim. Version 9.0.2121 contains a fix for this issue."}], "source": {"advisory": "GHSA-c8qm-x72m-q53q", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T21:37:54.655Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/vim/vim/security/advisories/GHSA-c8qm-x72m-q53q", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/vim/vim/security/advisories/GHSA-c8qm-x72m-q53q"}, {"name": "https://github.com/vim/vim/pull/13552", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/vim/vim/pull/13552"}, {"name": "https://github.com/vim/vim/commit/26c11c56888d01e298cd8044caf860f3c26f57bb", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/vim/vim/commit/26c11c56888d01e298cd8044caf860f3c26f57bb"}, {"name": "https://github.com/gandalf4a/crash_report/blob/main/vim/vim_huaf", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/gandalf4a/crash_report/blob/main/vim/vim_huaf"}, {"url": "http://www.openwall.com/lists/oss-security/2023/11/22/3", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DNMFS3IH74KEMMESOA3EOB6MZ56TWGFF/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IVA7K73WHQH4KVFDJQ7ELIUD2WK5ZT5E/", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240105-0001/", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*", "matchCriteriaId": "F978DA02-FB07-40A0-BD9E-CAC3945B4E2D", "versionEndExcluding": "9.0.2121", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Vim is a UNIX editor that, prior to version 9.0.2121, has a heap-use-after-free vulnerability. When executing a `:s` command for the very first time and using a sub-replace-special atom inside the substitution part, it is possible that the recursive `:s` call causes free-ing of memory which may later then be accessed by the initial `:s` command. The user must intentionally execute the payload and the whole process is a bit tricky to do since it seems to work only reliably for the very first :s command. It may also cause a crash of Vim. Version 9.0.2121 contains a fix for this issue."}, {"lang": "es", "value": "Vim es un editor UNIX que, antes de la versi\u00f3n 9.0.2121, tiene una vulnerabilidad de heap-use-after-free. Al ejecutar un comando `:s` por primera vez y utilizar un \u00e1tomo subreemplazante especial dentro de la parte de sustituci\u00f3n, es posible que la llamada recursiva `:s` provoque la liberaci\u00f3n de memoria a la que luego se podr\u00e1 acceder por el comando inicial `:s`. El usuario debe ejecutar intencionalmente el payload y todo el proceso es un poco complicado de realizar ya que parece funcionar solo de manera confiable para el primer comando :s. Tambi\u00e9n puede provocar un bloqueo de Vim. La versi\u00f3n 9.0.2121 contiene una soluci\u00f3n para este problema."}], "id": "CVE-2023-48706", "lastModified": "2024-11-21T08:32:17.980", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 3.6, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-11-22T22:15:08.673", "references": [{"source": "security-advisories@github.com", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/11/22/3"}, {"source": "security-advisories@github.com", "tags": ["Exploit"], "url": "https://github.com/gandalf4a/crash_report/blob/main/vim/vim_huaf"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/vim/vim/commit/26c11c56888d01e298cd8044caf860f3c26f57bb"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/vim/vim/pull/13552"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/vim/vim/security/advisories/GHSA-c8qm-x72m-q53q"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DNMFS3IH74KEMMESOA3EOB6MZ56TWGFF/"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IVA7K73WHQH4KVFDJQ7ELIUD2WK5ZT5E/"}, {"source": "security-advisories@github.com", "url": "https://security.netapp.com/advisory/ntap-20240105-0001/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/11/22/3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "https://github.com/gandalf4a/crash_report/blob/main/vim/vim_huaf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/vim/vim/commit/26c11c56888d01e298cd8044caf860f3c26f57bb"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/vim/vim/pull/13552"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/vim/vim/security/advisories/GHSA-c8qm-x72m-q53q"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DNMFS3IH74KEMMESOA3EOB6MZ56TWGFF/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IVA7K73WHQH4KVFDJQ7ELIUD2WK5ZT5E/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20240105-0001/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "vim: use-after-free in ex_substitute in Vim", "id": "2251118", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2251118"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.7", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-416", "details": ["Vim is a UNIX editor that, prior to version 9.0.2121, has a heap-use-after-free vulnerability. When executing a `:s` command for the very first time and using a sub-replace-special atom inside the substitution part, it is possible that the recursive `:s` call causes free-ing of memory which may later then be accessed by the initial `:s` command. The user must intentionally execute the payload and the whole process is a bit tricky to do since it seems to work only reliably for the very first :s command. It may also cause a crash of Vim. Version 9.0.2121 contains a fix for this issue.", "A heap use-after-free flaw was found in the vim package. When executing a `:s` command for the first time and using a sub-replace-special atom inside the substitution part, it is possible that the recursive `:s` call causes memory to be freed, which may later then be accessed by the initial `:s` command. This issue may result in Vim crashing."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2023-48706", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2023-11-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-48706\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-48706\nhttp://www.openwall.com/lists/oss-security/2023/11/22/3\nhttps://github.com/vim/vim/security/advisories/GHSA-c8qm-x72m-q53q"], "statement": "Red Hat considers this as a low impact since it requires the command to be run for the very first time and access to the shell in order to run the payload.", "threat_severity": "Low"}

{}