PT-2019-3260 · Vim+6 · Vim+6

Arminius

·

Published

2016-11-22

·

Updated

2026-02-27

·

CVE-2019-12735

CVSS v2.0

9.3

High

VectorAV:N/AC:M/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions Vim versions prior to 8.1.1365 Neovim versions prior to 0.3.6
Description The issue is related to the lack of filtering in the :source! command in a modeline, which allows remote attackers to execute arbitrary OS commands. This can lead to unauthorized access to confidential data, disruption of data integrity, and denial of service. The problem occurs when the modeline mode is enabled, which is on by default and allows setting editing options within a file.
Recommendations For Vim versions prior to 8.1.1365, update to version 8.1.1365 or later to resolve the issue. For Neovim versions prior to 0.3.6, update to version 0.3.6 or later to resolve the issue. As a temporary workaround, consider disabling the modeline mode by setting :set nomodeline until a patch is available.

Exploit

Fix

RCE

OS Command Injection

Weakness Enumeration

CWE-78

Related Identifiers

ALT-PU-2016-2338
ALT-PU-2018-1878
ALT-PU-2019-2040
ALT-PU-2019-2042
ALT-PU-2019-2207
ALT-PU-2019-2567
BDU:2019-03251
CESA-2019_1619
CESA-2019_1774
CESA-2020_4453
CVE-2019-12735
DLA-1871-1
DSA-4467-1
DSA-4467-2
DSA-4487-1
ELSA-2019-1619
ELSA-2019-1774
MGASA-2020-0082
OPENSUSE-SU-2019:1551-1
OPENSUSE-SU-2019:1561-1
OPENSUSE-SU-2019:1759-1
OPENSUSE-SU-2019:1796-1
OPENSUSE-SU-2019:1997-1
OPENSUSE-SU-2019_1551-1
OPENSUSE-SU-2019_1561-1
OPENSUSE-SU-2019_1562-1
OPENSUSE-SU-2019_1759-1
OPENSUSE-SU-2024:11081-1
OPENSUSE-SU-2024:11497-1
RHSA-2019:1619
RHSA-2019:1774
RHSA-2019:1793
RHSA-2019:1947
RHSA-2019_1619
RHSA-2019_1774
RHSA-2020_4453
SUSE-SU-2019:14078-1
SUSE-SU-2019:1456-1
SUSE-SU-2019:1457-1
SUSE-SU-2019_14078-1
SUSE-SU-2019_1456-1
SUSE-SU-2019_1457-1
USN-4016-1
USN-4016-2
USN-4862-1

Affected Products

Alt Linux
Centos
Neovim
Red Hat
Suse
Ubuntu
Vim