CVE-2024-45306

Vim is an open source, command line text editor. Patch v9.1.0038 optimized how the cursor position is calculated and removed a loop, that verified that the cursor position always points inside a line and does not become invalid by pointing beyond the end of a line. Back then we assumed this loop is unnecessary. However, this change made it possible that the cursor position stays invalid and points beyond the end of a line, which would eventually cause a heap-buffer-overflow when trying to access the line pointer at the specified cursor position. It's not quite clear yet, what can lead to this situation that the cursor points to an invalid position. That's why patch v9.1.0707 does not include a test case. The only observed impact has been a program crash. This issue has been addressed in with the patch v9.1.0707. All users are advised to upgrade.

CVSS v3 4.5 MEDIUM

4.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.0 / Impact : 3.4

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/vim/vim/commit/396fd1ec2956307755392a1	Patch
https://github.com/vim/vim/releases/tag/v9.1.0038	Release Notes
https://github.com/vim/vim/security/advisories/GHSA-wxf9-c5gx-qrwr	Third Party Advisory
https://security.netapp.com/advisory/ntap-20241004-0007/

Configurations

Configuration 1 (hide)

cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-09-02 18:15

Updated : 2024-11-21 09:37

NVD link : CVE-2024-45306

Mitre link : CVE-2024-45306

CVE.ORG link : CVE-2024-45306

JSON object : View

Products Affected

vim

vim

CWE

CWE-122

Heap-based Buffer Overflow

CWE-787

Out-of-bounds Write

{"id": "CVE-2024-45306", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 1.0}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-09-02T18:15:36.920", "references": [{"url": "https://github.com/vim/vim/commit/396fd1ec2956307755392a1", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/vim/vim/releases/tag/v9.1.0038", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/vim/vim/security/advisories/GHSA-wxf9-c5gx-qrwr", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://security.netapp.com/advisory/ntap-20241004-0007/", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-122"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "Vim is an open source, command line text editor. Patch v9.1.0038 optimized how the cursor position is calculated and removed a loop, that verified that the cursor position always points inside a line and does not become invalid by pointing beyond the end of\na line. Back then we assumed this loop is unnecessary. However, this change made it possible that the cursor position stays invalid and points beyond the end of a line, which would eventually cause a heap-buffer-overflow when trying to access the line pointer at\nthe specified cursor position. It's not quite clear yet, what can lead to this situation that the cursor points to an invalid position. That's why patch v9.1.0707 does not include a test case. The only observed impact has been a program crash. This issue has been addressed in with the patch v9.1.0707. All users are advised to upgrade."}, {"lang": "es", "value": "Vim es un editor de texto de l\u00ednea de comandos de c\u00f3digo abierto. El parche v9.1.0038 optimiz\u00f3 la forma en que se calcula la posici\u00f3n del cursor y elimin\u00f3 un bucle que verificaba que la posici\u00f3n del cursor siempre apuntara dentro de una l\u00ednea y no se volviera inv\u00e1lida al apuntar m\u00e1s all\u00e1 del final de una l\u00ednea. En ese entonces, asumimos que este bucle era innecesario. Sin embargo, este cambio hizo posible que la posici\u00f3n del cursor permaneciera inv\u00e1lida y apuntara m\u00e1s all\u00e1 del final de una l\u00ednea, lo que eventualmente causar\u00eda un desbordamiento del b\u00fafer de pila al intentar acceder al puntero de l\u00ednea en la posici\u00f3n del cursor especificada. A\u00fan no est\u00e1 del todo claro qu\u00e9 puede llevar a esta situaci\u00f3n en la que el cursor apunta a una posici\u00f3n inv\u00e1lida. Es por eso que el parche v9.1.0707 no incluye un caso de prueba. El \u00fanico impacto observado ha sido un bloqueo del programa. Este problema se ha solucionado con el parche v9.1.0707. Se recomienda a todos los usuarios que actualicen."}], "lastModified": "2024-11-21T09:37:39.000", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1DDF532D-C43E-4045-BFF5-364B7BF41E99", "versionEndExcluding": "9.1.0707", "versionStartIncluding": "9.1.0038"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}