In Vim before 8.1.0881, users can circumvent the rvim restricted mode and execute arbitrary OS commands via scripting interfaces (e.g., Python, Ruby, or Lua). Reference and upstream commit: https://github.com/vim/vim/releases/tag/v8.1.0881 https://github.com/vim/vim/commit/8c62a08faf89663e5633dc5036cd8695c80f1075
Created vim tracking bugs for this issue: Affects: fedora-all [bug 1842752]
Statement: Upstream suggests that users may still find loopholes to execute a shell commands, it has only been made difficult. So administrators should not assume that vim restricted mode will completely disable execution of OS commands.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4453 https://access.redhat.com/errata/RHSA-2020:4453
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-20807