CVE Vulnerability

CVE-2018-11319

Syntastic (aka vim-syntastic) through 3.9.0 does not properly handle searches for configuration files (it searches the current directory up to potentially the root). This improper handling might be exploited for arbitrary code execution via a malicious gcc plugin, if an attacker has write access to a directory that is a parent of the base directory of the project being checked. NOTE: exploitation is more difficult after 3.8.0 because filename prediction may be needed.

8.5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 6.8 / Impact : 10

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

Scope

7.5 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/vim-syntastic/syntastic/issues/2170 Exploit Issue Tracking
https://github.com/vim-syntastic/syntastic/commit/6d7c0b394e001233dd09ec473fbea2002c72632f Patch Third Party Advisory
https://bugs.debian.org/894736 Exploit Issue Tracking
https://lists.debian.org/debian-lts-announce/2018/07/msg00036.html Mailing List Third Party Advisory
https://www.debian.org/security/2018/dsa-4261 Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:syntastic_project:syntastic:*:*:*:*:*:vim:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Information

Published : 2018-05-20 08:29

Updated : 2019-10-03 12:03

NVD link : CVE-2018-11319

Mitre link : CVE-2018-11319

Products Affected
No products.
CWE
CWE-22