Home > Vulnerability Database > CVE-2008-4677

Mend.io Vulnerability Database

CVE-2008-4677

Date: October 22, 2008

autoload/netrw.vim (aka the Netrw Plugin) 109, 131, and other versions before 133k for Vim 7.1.266, other 7.1 versions, and 7.2 stores credentials for an FTP session, and sends those credentials when attempting to establish subsequent FTP sessions to servers on different hosts, which allows remote FTP servers to obtain sensitive information in opportunistic circumstances by logging usernames and passwords. NOTE: the upstream vendor disputes a vector involving different ports on the same host, stating "I'm assuming that they're using the same id and password on that unchanged hostname, deliberately."

Severity Score

3.7

Related Resources (19)

Url: http://www.openwall.com/lists/oss-security/2008/10/16/2

Url: https://security-tracker.debian.org/tracker/CVE-2008-4677

Url: http://www.openwall.com/lists/oss-security/2008/10/20/2

Url: http://secunia.com/advisories/34418

Url: http://www.securityfocus.com/archive/1/495436

Url: https://exchange.xforce.ibmcloud.com/vulnerabilities/44419

Url: http://www.mandriva.com/security/advisories?name=MDVSA-2008:236

Url: http://www.rdancer.org/vulnerablevim-netrw-credentials-dis.html

Url: http://secunia.com/advisories/31464

Url: http://www.openwall.com/lists/oss-security/2008/10/06/4

Url: http://www.securityfocus.com/archive/1/495432

Url: http://www.securityfocus.com/bid/30670

Url: http://groups.google.com/group/vim_dev/browse_thread/thread/2f6fad581a037971/a5fcf4c4981d34e6?show_docid=a5fcf4c4981d34e6

Url: https://bugzilla.redhat.com/show_bug.cgi?id=461750

Url: http://www.vupen.com/english/advisories/2008/2379

Url: https://nvd.nist.gov/vuln/detail/CVE-2008-4677

Url: http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00004.html

Url: https://people.canonical.com/~ubuntu-security/cve/CVE-2008-4677

Url: https://www.mend.io/vulnerability-database/CVE-2008-4677

Severity Score

3.7

Weakness Type (CWE)

Credentials Management

CWE-255

CVSS v3.1

Base Score:	3.7
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

CVSS v2

Base Score:	4.3
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2008-4677

Date: October 22, 2008

Severity Score

Related Resources (19)

Severity Score

Weakness Type (CWE)

CVSS v3.1

CVSS v2

Do you need more information?