CVE-2023-48706 - Vulnerability Details - OpenCVE

Vim is a UNIX editor that, prior to version 9.0.2121, has a heap-use-after-free vulnerability. When executing a `:s` command for the very first time and using a sub-replace-special atom inside the substitution part, it is possible that the recursive `:s` call causes free-ing of memory which may later then be accessed by the initial `:s` command. The user must intentionally execute the payload and the whole process is a bit tricky to do since it seems to work only reliably for the very first :s command. It may also cause a crash of Vim. Version 9.0.2121 contains a fix for this issue.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Vim	Vim

Configuration 1 [-]

cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2023/11/22/3
https://github.com/gandalf4a/crash_report/blob/main/vim/vim_huaf
https://github.com/vim/vim/commit/26c11c56888d01e298cd8044caf860f3c26f57bb
https://github.com/vim/vim/pull/13552
https://github.com/vim/vim/security/advisories/GHSA-c8qm-x72m-q53q
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DNMFS3IH74KEMMESOA3EOB6MZ56TWGFF/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IVA7K73WHQH4KVFDJQ7ELIUD2WK5ZT5E/
https://nvd.nist.gov/vuln/detail/CVE-2023-48706
https://security.netapp.com/advisory/ntap-20240105-0001/
https://www.cve.org/CVERecord?id=CVE-2023-48706

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-11-22T22:03:39.503Z

Updated: 2025-02-13T17:18:19.931Z

Reserved: 2023-11-17T19:43:37.554Z

Link: CVE-2023-48706

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-11-22T22:15:08.673

Modified: 2024-11-21T08:32:17.980

Link: CVE-2023-48706

Redhat

Severity : Low

Publid Date: 2023-11-22T00:00:00Z

Links: CVE-2023-48706 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-48706", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-11-17T19:43:37.554Z", "datePublished": "2023-11-22T22:03:39.503Z", "dateUpdated": "2025-02-13T17:18:19.931Z"}, "containers": {"cna": {"title": "Vim has heap-use-after-free at /src/charset.c:1770:12 in skipwhite", "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "lang": "en", "description": "CWE-416: Use After Free", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 3.6, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/vim/vim/security/advisories/GHSA-c8qm-x72m-q53q", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vim/vim/security/advisories/GHSA-c8qm-x72m-q53q"}, {"name": "https://github.com/vim/vim/pull/13552", "tags": ["x_refsource_MISC"], "url": "https://github.com/vim/vim/pull/13552"}, {"name": "https://github.com/vim/vim/commit/26c11c56888d01e298cd8044caf860f3c26f57bb", "tags": ["x_refsource_MISC"], "url": "https://github.com/vim/vim/commit/26c11c56888d01e298cd8044caf860f3c26f57bb"}, {"name": "https://github.com/gandalf4a/crash_report/blob/main/vim/vim_huaf", "tags": ["x_refsource_MISC"], "url": "https://github.com/gandalf4a/crash_report/blob/main/vim/vim_huaf"}, {"url": "http://www.openwall.com/lists/oss-security/2023/11/22/3"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DNMFS3IH74KEMMESOA3EOB6MZ56TWGFF/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IVA7K73WHQH4KVFDJQ7ELIUD2WK5ZT5E/"}, {"url": "https://security.netapp.com/advisory/ntap-20240105-0001/"}], "affected": [{"vendor": "vim", "product": "vim", "versions": [{"version": "< 9.0.2121", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-05T18:06:19.220Z"}, "descriptions": [{"lang": "en", "value": "Vim is a UNIX editor that, prior to version 9.0.2121, has a heap-use-after-free vulnerability. When executing a `:s` command for the very first time and using a sub-replace-special atom inside the substitution part, it is possible that the recursive `:s` call causes free-ing of memory which may later then be accessed by the initial `:s` command. The user must intentionally execute the payload and the whole process is a bit tricky to do since it seems to work only reliably for the very first :s command. It may also cause a crash of Vim. Version 9.0.2121 contains a fix for this issue."}], "source": {"advisory": "GHSA-c8qm-x72m-q53q", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T21:37:54.655Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/vim/vim/security/advisories/GHSA-c8qm-x72m-q53q", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/vim/vim/security/advisories/GHSA-c8qm-x72m-q53q"}, {"name": "https://github.com/vim/vim/pull/13552", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/vim/vim/pull/13552"}, {"name": "https://github.com/vim/vim/commit/26c11c56888d01e298cd8044caf860f3c26f57bb", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/vim/vim/commit/26c11c56888d01e298cd8044caf860f3c26f57bb"}, {"name": "https://github.com/gandalf4a/crash_report/blob/main/vim/vim_huaf", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/gandalf4a/crash_report/blob/main/vim/vim_huaf"}, {"url": "http://www.openwall.com/lists/oss-security/2023/11/22/3", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DNMFS3IH74KEMMESOA3EOB6MZ56TWGFF/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IVA7K73WHQH4KVFDJQ7ELIUD2WK5ZT5E/", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240105-0001/", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*", "matchCriteriaId": "F978DA02-FB07-40A0-BD9E-CAC3945B4E2D", "versionEndExcluding": "9.0.2121", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Vim is a UNIX editor that, prior to version 9.0.2121, has a heap-use-after-free vulnerability. When executing a `:s` command for the very first time and using a sub-replace-special atom inside the substitution part, it is possible that the recursive `:s` call causes free-ing of memory which may later then be accessed by the initial `:s` command. The user must intentionally execute the payload and the whole process is a bit tricky to do since it seems to work only reliably for the very first :s command. It may also cause a crash of Vim. Version 9.0.2121 contains a fix for this issue."}, {"lang": "es", "value": "Vim es un editor UNIX que, antes de la versi\u00f3n 9.0.2121, tiene una vulnerabilidad de heap-use-after-free. Al ejecutar un comando `:s` por primera vez y utilizar un \u00e1tomo subreemplazante especial dentro de la parte de sustituci\u00f3n, es posible que la llamada recursiva `:s` provoque la liberaci\u00f3n de memoria a la que luego se podr\u00e1 acceder por el comando inicial `:s`. El usuario debe ejecutar intencionalmente el payload y todo el proceso es un poco complicado de realizar ya que parece funcionar solo de manera confiable para el primer comando :s. Tambi\u00e9n puede provocar un bloqueo de Vim. La versi\u00f3n 9.0.2121 contiene una soluci\u00f3n para este problema."}], "id": "CVE-2023-48706", "lastModified": "2024-11-21T08:32:17.980", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 3.6, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-11-22T22:15:08.673", "references": [{"source": "security-advisories@github.com", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/11/22/3"}, {"source": "security-advisories@github.com", "tags": ["Exploit"], "url": "https://github.com/gandalf4a/crash_report/blob/main/vim/vim_huaf"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/vim/vim/commit/26c11c56888d01e298cd8044caf860f3c26f57bb"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/vim/vim/pull/13552"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/vim/vim/security/advisories/GHSA-c8qm-x72m-q53q"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DNMFS3IH74KEMMESOA3EOB6MZ56TWGFF/"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IVA7K73WHQH4KVFDJQ7ELIUD2WK5ZT5E/"}, {"source": "security-advisories@github.com", "url": "https://security.netapp.com/advisory/ntap-20240105-0001/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/11/22/3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "https://github.com/gandalf4a/crash_report/blob/main/vim/vim_huaf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/vim/vim/commit/26c11c56888d01e298cd8044caf860f3c26f57bb"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/vim/vim/pull/13552"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/vim/vim/security/advisories/GHSA-c8qm-x72m-q53q"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DNMFS3IH74KEMMESOA3EOB6MZ56TWGFF/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IVA7K73WHQH4KVFDJQ7ELIUD2WK5ZT5E/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20240105-0001/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "vim: use-after-free in ex_substitute in Vim", "id": "2251118", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2251118"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.7", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-416", "details": ["Vim is a UNIX editor that, prior to version 9.0.2121, has a heap-use-after-free vulnerability. When executing a `:s` command for the very first time and using a sub-replace-special atom inside the substitution part, it is possible that the recursive `:s` call causes free-ing of memory which may later then be accessed by the initial `:s` command. The user must intentionally execute the payload and the whole process is a bit tricky to do since it seems to work only reliably for the very first :s command. It may also cause a crash of Vim. Version 9.0.2121 contains a fix for this issue.", "A heap use-after-free flaw was found in the vim package. When executing a `:s` command for the first time and using a sub-replace-special atom inside the substitution part, it is possible that the recursive `:s` call causes memory to be freed, which may later then be accessed by the initial `:s` command. This issue may result in Vim crashing."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2023-48706", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2023-11-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-48706\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-48706\nhttp://www.openwall.com/lists/oss-security/2023/11/22/3\nhttps://github.com/vim/vim/security/advisories/GHSA-c8qm-x72m-q53q"], "statement": "Red Hat considers this as a low impact since it requires the command to be run for the very first time and access to the shell in order to run the payload.", "threat_severity": "Low", "upstream_fix": "vim 9.0.2121"}