Bug 1842658 (CVE-2019-20807) - CVE-2019-20807 vim: users can execute arbitrary OS commands via scripting interfaces in the rvim restricted mode
Summary: CVE-2019-20807 vim: users can execute arbitrary OS commands via scripting int...
Alias: CVE-2019-20807
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1842752 1842754 1842755
Blocks: 1842659
TreeView+ depends on / blocked
Reported: 2020-06-01 19:21 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-02-16 19:57 UTC (History)
4 users (show)

Fixed In Version: vim 8.1.088, vim 8.2.0884
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in vim in the restricted mode, where all commands that make use of external shells are disabled. However, it was found that users could still execute some arbitrary OS commands in the restricted mode. This flaw was fixed by filtering the functions that can call OS commands. Interfaces such as Python, Ruby, and Lua, are also disabled, as they can be used to execute shell commands. Perl uses the Safe module.
Clone Of:
Last Closed: 2020-11-04 02:25:41 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4453 0 None None None 2020-11-04 01:07:58 UTC

Description Guilherme de Almeida Suckevicz 2020-06-01 19:21:31 UTC
In Vim before 8.1.0881, users can circumvent the rvim restricted mode and execute arbitrary OS commands via scripting interfaces (e.g., Python, Ruby, or Lua).

Reference and upstream commit:

Comment 1 Huzaifa S. Sidhpurwala 2020-06-02 03:44:49 UTC
Created vim tracking bugs for this issue:

Affects: fedora-all [bug 1842752]

Comment 4 Huzaifa S. Sidhpurwala 2020-06-02 03:53:05 UTC

Upstream suggests that users may still find loopholes to execute a shell commands, it has only been made difficult. So administrators should not assume that vim restricted mode will completely disable execution of OS commands.

Comment 8 errata-xmlrpc 2020-11-04 01:07:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4453 https://access.redhat.com/errata/RHSA-2020:4453

Comment 9 Product Security DevOps Team 2020-11-04 02:25:41 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.