CVE-2019-12735
CVE-2019-12735
getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim.
Affected products
n/a · n/apublic PoCs found — 6
githubgithub.com/pcy190/ace-vim-neovim★ 9githubgithub.com/oldthree3/CVE-2019-12735-VIM-NEOVIM★ 2githubgithub.com/nickylimjj/cve-2019-12735★ 1githubgithub.com/datntsec/CVE-2019-12735★ 0githubgithub.com/st9007a/CVE-2019-12735★ 0cve_referencewww.exploit-db.com/exploits/46973unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00031.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-06/msg00036.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-06/msg00037.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-07/msg00034.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-07/msg00050.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-08/msg00075.htmlhttps://access.redhat.com/errata/RHSA-2019:1619https://access.redhat.com/errata/RHSA-2019:1774https://access.redhat.com/errata/RHSA-2019:1793https://access.redhat.com/errata/RHSA-2019:1947https://bugs.debian.org/930020https://bugs.debian.org/930024