Vim multiple vulnerabilities

Advisory ID CVE Number Date discovered Severity Advisory revision
STORM-2022-006 CVE-2022-0714 , CVE-2022-0729 , CVE-2022-0696 , CVE-2022-0554 , CVE-2022-0572 , CVE-2022-0629 , CVE-2022-0685 03/07/2022 medium v1

Vulnerability details

An attacker can use these vulnerabilities to crash vim, bypass protection mechanism, modify memory and can use a Remote Code Execution attack.

Impacted products

ProductsSeverityDetail
Stormshield Network Security medium SNS is impacted

Revisions

Version Date Description
v1 09/08/2022 Reserved Publication
v2 11/17/2022 Updated and disclosed


Stormshield Network Security

CVSS v3.1 Overall Score: 5.7      

Analysis

Impacted version

An attacker could exploit these vulnerabilities with a specially forged file to crash vim or potentially execute arbitrary code.

For a hardening purpose, the vim text editor has been replaced by vi.
  • SNS 3.7.0 to 3.7.31
  • SNS 3.11.0 to 3.11.19
  • SNS 4.3.0 to 4.3.10
  • SNS 4.5.0 to 4.5.2

Workaround solution

Solution

There is no workaround solution.
The following versions fix this vulnerability:
  • 3.7.32
  • 3.11.20
  • 4.3.11
  • 4.5.3


Attack Vector Attack Complexity Privileges Required User Interaction Scope Confidentiality Impact Integrity Impact Availability impact
Local High High Required Unchanged High High High
CVSS Base score: 6.3 CVSS Vector: (AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H)
Exploit Code Maturity Remediation Level Report Confidence
Proof of concept code Official fix Confirmed
CVSS Temporal score: 5.7 CVSS Vector: (AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C)
Confidentiality Requirement Integrity Requirement Availability Requirement
High High High
CVSS Environmental score: 5.7 CVSS Vector: (AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X)