Vim getchar.c Remote Operating System Command Execution Vulnerability

By GIXnews

A vulnerability in the getchar.c source code file of Vim could allow an authenticated, remote attacker to execute arbitrary commands on a targeted system.

The vulnerability exists because the affected system does not properly validate user-supplied input. An attacker could exploit this vulnerability by executing the :source! command in a modeline on the affected system. A successful exploit could allow the attacker to execute arbitrary operating system commands on the targeted system.

Proof-of-concept code that demonstrates an exploit of this vulnerability is available.

Vim has confirmed the vulnerability and released a software patch.

Security Impact Rating: High

CVE: CVE-2019-12735

Source:: Cisco Multivendor Vulnerability Alerts