VDB
CVE-2008-4677
CVE-2008-4677
PUBLISHED
CVSS 4.300000190734863 MEDIUM
autoload/netrw.vim (aka the Netrw Plugin) 109, 131, and other versions before 133k for Vim 7.1.266, other 7.1 versions, and 7.2 stores credentials for an FTP session, and sends those credentials when attempting to establish subsequent FTP sessions to servers on different hosts, which allows remote FTP servers to obtain sensitive information in opportunistic circumstances by logging usernames and passwords. NOTE: the upstream vendor disputes a vector involving different ports on the same host, stating "I'm assuming that they're using the same id and password on that unchanged hostname, deliberately."
EPSS 0.93% · 76.5th percentile
Risk Scores
CVSS 2.0
4.300000190734863
EPSS Score
0.93%
76.5th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| n/a | n/a | n/a |
| vim | netrw | 109, 110, 111 |
Timeline
- Oct 22, 2008 CVE Published
- Feb 4, 2022 EPSS Score
- Mar 29, 2022 EPSS Score
- May 20, 2022 EPSS Score
- Jul 12, 2022 EPSS Score
- Oct 26, 2022 EPSS Score
- Dec 18, 2022 EPSS Score
- Feb 9, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Apr 3, 2023 EPSS Score
- May 25, 2023 EPSS Score
- Jul 17, 2023 EPSS Score
References
- 30670 vdb
- SUSE-SR:2009:007 vendor-advisory
- 31464 third-party-advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=461750 url
- [vim_dev] 20080817 Re: Anyone fixing SA31464? mailing-list
- [oss-security] 20081020 CVE request (vim) mailing-list
- [oss-security] 20081016 CVE request - Vim netrw.plugin mailing-list
- 20080812 Vim: Netrw: FTP User Name and Password Disclosure mailing-list
- ADV-2008-2379 vdb
- 34418 third-party-advisory
- [oss-security] 20081006 CVE request - (vim : netrw plugin - ftp user credentials disclosure) mailing-list
- 20080812 Re: Vim: Netrw: FTP User Name and Password Disclosure mailing-list
- MDVSA-2008:236 vendor-advisory
- http://www.rdancer.org/vulnerablevim-netrw-credentials-dis.html url
- vim-netrw-ftp-information-disclosure(44419) vdb
- https://nvd.nist.gov/vuln/detail/CVE-2008-4677 advisory