CVE-2024-43790
Vulnerability from cvelistv5
Published
2024-08-22 21:23
Modified
2024-09-20 16:03
Severity ?
EPSS score ?
Summary
Vim is an open source command line text editor. When performing a search and displaying the search-count message is disabled (:set shm+=S), the search pattern is displayed at the bottom of the screen in a buffer (msgbuf). When right-left mode (:set rl) is enabled, the search pattern is reversed. This happens by allocating a new buffer. If the search pattern contains some ASCII NUL characters, the buffer allocated will be smaller than the original allocated buffer (because for allocating the reversed buffer, the strlen() function is called, which only counts until it notices an ASCII NUL byte ) and thus the original length indicator is wrong. This causes an overflow when accessing characters inside the msgbuf by the previously (now wrong) length of the msgbuf. The issue has been fixed as of Vim patch v9.1.0689.
References
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-43790", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-08-23T16:42:30.460971Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-08-23T16:42:39.434Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" }, { "providerMetadata": { "dateUpdated": "2024-09-20T16:03:12.105Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "url": "https://security.netapp.com/advisory/ntap-20240920-0005/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "vim", "vendor": "vim", "versions": [ { "status": "affected", "version": "\u003c v9.1.0689" } ] } ], "descriptions": [ { "lang": "en", "value": "Vim is an open source command line text editor. When performing a search and displaying the search-count message is disabled (:set shm+=S), the search pattern is displayed at the bottom of the screen in a buffer (msgbuf). When right-left mode (:set rl) is enabled, the search pattern is reversed. This happens by allocating a new buffer. If the search pattern contains some ASCII NUL characters, the buffer allocated will be smaller than the original allocated buffer (because for allocating the reversed buffer, the strlen() function is called, which only counts until it notices an ASCII NUL byte ) and thus the original length indicator is wrong. This causes an overflow when accessing characters inside the msgbuf by the previously (now wrong) length of the msgbuf. The issue has been fixed as of Vim patch v9.1.0689." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-122", "description": "CWE-122: Heap-based Buffer Overflow", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-08-22T21:23:07.797Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/vim/vim/security/advisories/GHSA-v2x2-cjcg-f9jm", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/vim/vim/security/advisories/GHSA-v2x2-cjcg-f9jm" }, { "name": "https://github.com/vim/vim/commit/cacb6693c10bb19f28a50eca47bc", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/vim/vim/commit/cacb6693c10bb19f28a50eca47bc" } ], "source": { "advisory": "GHSA-v2x2-cjcg-f9jm", "discovery": "UNKNOWN" }, "title": "heap-buffer-overflow in do_search() in Vim \u003c 9.1.0689" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2024-43790", "datePublished": "2024-08-22T21:23:07.797Z", "dateReserved": "2024-08-16T14:20:37.323Z", "dateUpdated": "2024-09-20T16:03:12.105Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2024-43790\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-08-22T22:15:05.317\",\"lastModified\":\"2024-11-21T09:35:52.580\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Vim is an open source command line text editor. When performing a search and displaying the search-count message is disabled (:set shm+=S), the search pattern is displayed at the bottom of the screen in a buffer (msgbuf). When right-left mode (:set rl) is enabled, the search pattern is reversed. This happens by allocating a new buffer. If the search pattern contains some ASCII NUL characters, the buffer allocated will be smaller than the original allocated buffer (because for allocating the reversed buffer, the strlen() function is called, which only counts until it notices an ASCII NUL byte ) and thus the original length indicator is wrong. This causes an overflow when accessing characters inside the msgbuf by the previously (now wrong) length of the msgbuf. The issue has been fixed as of Vim patch v9.1.0689.\"},{\"lang\":\"es\",\"value\":\"Vim es un editor de texto de l\u00ednea de comandos de c\u00f3digo abierto. Cuando se realiza una b\u00fasqueda y se deshabilita la visualizaci\u00f3n del mensaje de recuento de b\u00fasqueda (:set shm+=S), el patr\u00f3n de b\u00fasqueda se muestra en la parte inferior de la pantalla en un b\u00fafer (msgbuf). Cuando el modo derecha-izquierda (:set rl) est\u00e1 habilitado, el patr\u00f3n de b\u00fasqueda se invierte. Esto sucede asignando un nuevo b\u00fafer. Si el patr\u00f3n de b\u00fasqueda contiene algunos caracteres ASCII NUL, el b\u00fafer asignado ser\u00e1 m\u00e1s peque\u00f1o que el b\u00fafer asignado original (porque para asignar el b\u00fafer invertido, se llama a la funci\u00f3n strlen(), que solo cuenta hasta que detecta un byte ASCII NUL) y por lo tanto el indicador de longitud original es incorrecto. Esto provoca un desbordamiento al acceder a caracteres dentro del msgbuf por la longitud anterior (ahora incorrecta) del msgbuf. El problema se solucion\u00f3 a partir del parche Vim v9.1.0689.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L\",\"baseScore\":4.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.0,\"impactScore\":3.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-122\"}]}],\"references\":[{\"url\":\"https://github.com/vim/vim/commit/cacb6693c10bb19f28a50eca47bc\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/vim/vim/security/advisories/GHSA-v2x2-cjcg-f9jm\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20240920-0005/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}" } }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.