SNS : Vim multiple Vulnerabilities fixed by 8.2.4281

Advisory ID CVE Number Date discovered Severity Advisory revision
STORM-2022-004 CVE-2021-3927 , CVE-2021-3928 , CVE-2021-3968 , CVE-2021-3974 , CVE-2021-3984 , CVE-2021-4019 , CVE-2021-4069 , CVE-2021-4136 , CVE-2021-4166 , CVE-2021-4173 , CVE-2021-4187 , CVE-2021-4192 , CVE-2021-4193 , CVE-2022-0128 , CVE-2022-0156 , CVE-2022-0158 , CVE-2022-0213 , CVE-2022-0261 , CVE-2022-0318 , CVE-2022-0319 , CVE-2022-0351 , CVE-2022-0359 , CVE-2022-0361 , CVE-2022-0368 , CVE-2022-0392 , CVE-2022-0393 , CVE-2022-0407 , CVE-2022-0408 , CVE-2022-0413 , CVE-2022-0417 , CVE-2022-0443 02/10/2022 medium v1

Vulnerability details

Fixes for the VIM text editor:

  • CVE-2021-3927 : Heap-based Buffer Overflow
  • CVE-2021-3928 : Use of Uninitialized Variable
  • CVE-2021-3968 : Heap-based Buffer Overflow
  • CVE-2021-3974 : Use After Free
  • CVE-2021-3984 : Heap-based Buffer Overflow
  • CVE-2021-4019 : Heap-based Buffer Overflow
  • CVE-2021-4069 : Use After Free
  • CVE-2021-4136 : Heap-based Buffer Overflow
  • CVE-2021-4166 : Out-of-bounds Read
  • CVE-2021-4173 : Use After Free
  • CVE-2021-4187 : Use After Free
  • CVE-2021-4192 : Use After Free
  • CVE-2021-4193 : Out-of-bounds Read
  • CVE-2022-0128 : Out-of-bounds Read
  • CVE-2022-0156 : Use After Free
  • CVE-2022-0158 : Heap-based Buffer Overflow
  • CVE-2022-0213 : Heap-based Buffer Overflow
  • CVE-2022-0261 : Heap-based Buffer Overflow
  • CVE-2022-0318 : Heap-based Buffer Overflow
  • CVE-2022-0319 : Out-of-bounds Read
  • CVE-2022-0351 : Access of Memory Location Before Start of Buffer
  • CVE-2022-0359 : Heap-based Buffer Overflow
  • CVE-2022-0361 : Heap-based Buffer Overflow
  • CVE-2022-0368 : Out-of-bounds Read
  • CVE-2022-0392 : Heap-based Buffer Overflow
  • CVE-2022-0393 : Out-of-bounds Read
  • CVE-2022-0407 : Heap-based Buffer Overflow
  • CVE-2022-0408 : Stack-based Buffer Overflow
  • CVE-2022-0413 : Use After Free
  • CVE-2022-0417 : Heap-based Buffer Overflow
  • CVE-2022-0443 : Use After Free

Impacted products

ProductsSeverityDetail
Stormshield Network Security medium SNS is impacted

Revisions

Version Date Description
v1 04/06/2022 Initial release

 



Stormshield Network Security

CVSS v3.1 Overall Score: 5.7      

Analysis

Impacted version

Fix of Vim texte editor regarding vulnerabilities that can be exploited only after forging a specific file that will be openned by an administrator on the console.

  • SNS 3.0.0 to 3.7.26
  • SNS 3.8.0 to 3.11.14
  • SNS 4.0.0 to 4.2.10
  • SNS 4.3.0 to 4.3.6

Workaround solution

Solution

There is no workaround solution.

The following versions fix this vulnerability

  • 3.7.27
  • 3.11.15
  • 4.2.11
  • 4.3.7


Attack Vector Attack Complexity Privileges Required User Interaction Scope Confidentiality Impact Integrity Impact Availability impact
Local High High Required Unchanged High High High
CVSS Base score: 6.3 CVSS Vector: (AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H)
Exploit Code Maturity Remediation Level Report Confidence
Proof of concept code Official fix Confirmed
CVSS Temporal score: 5.7 CVSS Vector: (AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C)
Confidentiality Requirement Integrity Requirement Availability Requirement
High High High
CVSS Environmental score: 5.7 CVSS Vector: (AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X)