VDB
CVE-2018-11319
CVE-2018-11319
PUBLISHED
Syntastic (aka vim-syntastic) through 3.9.0 does not properly handle searches for configuration files (it searches the current directory up to potentially the root). This improper handling might be exploited for arbitrary code execution via a malicious gcc plugin, if an attacker has write access to a directory that is a parent of the base directory of the project being checked. NOTE: exploitation is more difficult after 3.8.0 because filename prediction may be needed.
EPSS 0.84% · 75.1th percentile
Risk Scores
EPSS Score
0.84%
75.1th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:16.04:LTS | vim-syntastic | 3.6.0-1, 3.7.0-1, 3.6.0-2 |
| Ubuntu:18.04:LTS | vim-syntastic | 3.7.0-1, 3.8.0-1, 0 |
Exploit Intelligence
- https://bugs.debian.org/894736 (nist-nvd)
- https://github.com/vim-syntastic/syntastic/issues/2170 (nist-nvd)
- DSA-4261 (circl)
- https://github.com/vim-syntastic/syntastic/commit/6d7c0b394e001233dd09ec473fbea2002c72632f (circl)
- [debian-lts-announce] 20180726 [SECURITY] [DLA 1444-1] vim-syntastic security update (circl)
Timeline
- May 20, 2018 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Feb 28, 2022 EPSS Score
- May 2, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Nov 6, 2022 EPSS Score
- Jan 8, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Mar 11, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2018-11319 third-party-advisory
- https://github.com/vim-syntastic/syntastic/issues/2170 third-party-advisory
- https://github.com/vim-syntastic/syntastic/commit/6d7c0b394e001233dd09ec473fbea2002c72632f third-party-advisory
- https://bugs.debian.org/894736 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2018-11319 third-party-advisory