Vim Use After Free (CVE-2021-3796)

Vim Use After Free (CVE-2021-3796)

Advisory ID	CVE Number	Date discovered	Severity	Advisory revision
STORM-2021-062	CVE-2021-3796	10/26/2021	medium	v1

Vulnerability details

A vulnerability in vim can lead to a use after free and impact confidentiality, availability and integrity.

Impacted products

Products	Severity	Detail
Stormshield Network Security	medium	SNS is impacted

Revisions

Version	Date	Description
v1	12/08/2021	Initial release

Stormshield Network Security

CVSS v3.1 Overall Score: 5.7

Analysis	Impacted version
If an administrator opens a malicious crafted file with vim, this can generate a use after free on vim and depending on the crafted file, this can lead to modify memory, crash vim or execute RCE attack.	SNS 3.0.0 to 3.7.22 SNS 3.8.0 to 3.11.10 SNS 4.0.0 to 4.2.6

Workaround solution

Solution

There is no workaround solution.

The vulnerability is fixed in versions:

3.7.23
3.11.11
4.2.7

Attack Vector	Attack Complexity	Privileges Required	User Interaction	Scope	Confidentiality Impact	Integrity Impact	Availability impact
Local	High	High	Required	Unchanged	High	High	High

CVSS Base score: 6.3	CVSS Vector: (AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H)

Exploit Code Maturity	Remediation Level	Report Confidence
Proof of concept code	Official fix	Confirmed

CVSS Temporal score: 5.7	CVSS Vector: (AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C)

Confidentiality Requirement (CR)	Integrity Requirement (IR)	Availability Requirement (AR)
High	High	High

CVSS Environmental score: 5.7	CVSS Vector: (AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X)

RSS Feed Contact Report a vulnerability Legal terms STORMSHIELD Corporate website Personal Data