CVE-2022-1616
Published on: Not Yet Published
Last Modified on: 05/03/2023 12:15:00 PM UTC
CVE-2022-1616 - advisory for 40f1d75f-fb2f-4281-b585-a41017f217e2
Source: Mitre Source: NIST CVE.ORG Print: PDF
Certain versions of Macos from Apple contain the following vulnerability:
Use after free in append_command in GitHub repository vim/vim prior to 8.2.4895. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution
- CVE-2022-1616 has been assigned by
[email protected] to track the vulnerability - currently rated as HIGH severity. - Affected Vendor/Software: vim - vim/vim version < 8.2.4895
CVSS3 Score: 7.8 - HIGH
| Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
|---|---|---|---|
| LOCAL | LOW | NONE | REQUIRED |
| Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
| UNCHANGED | HIGH | HIGH | HIGH |
CVSS2 Score: 6.8 - MEDIUM
| Access Vector ⓘ |
Access Complexity |
Authentication |
|---|---|---|
| NETWORK | MEDIUM | NONE |
| Confidentiality Impact |
Integrity Impact |
Availability Impact |
| PARTIAL | PARTIAL | PARTIAL |
CVE References
| Description | Tags ⓘ | Link |
|---|---|---|
| [SECURITY] [DLA 3011-1] vim security update | lists.debian.org text/html |
MLIST [debian-lts-announce] 20220516 [SECURITY] [DLA 3011-1] vim security update |
| Full Disclosure: APPLE-SA-2022-10-27-5 Additional information for APPLE-SA-2022-10-24-2 macOS Ventura 13 | seclists.org text/html |
FULLDISC 20221030 APPLE-SA-2022-10-27-5 Additional information for APPLE-SA-2022-10-24-2 macOS Ventura 13 |
| [SECURITY] [DLA 3182-1] vim security update | lists.debian.org text/html |
MLIST [debian-lts-announce] 20221108 [SECURITY] [DLA 3182-1] vim security update |
| [SECURITY] Fedora 36 Update: vim-8.2.4927-1.fc36 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org text/html |
FEDORA FEDORA-2022-e92c3ce170 |
| Vim, gVim: Multiple Vulnerabilities (GLSA 202208-32) — Gentoo security | security.gentoo.org text/html |
GENTOO GLSA-202208-32 |
| About the security content of macOS Ventura 13 - Apple Support | support.apple.com text/html |
CONFIRM support.apple.com/kb/HT213488 |
| Vim, gVim: Multiple Vulnerabilities (GLSA 202305-16) — Gentoo security | security.gentoo.org text/html |
GENTOO GLSA-202305-16 |
| [SECURITY] Fedora 34 Update: vim-8.2.4927-1.fc34 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org text/html |
FEDORA FEDORA-2022-8df66cdbef |
| patch 8.2.4895: buffer overflow with invalid command with composing c… · vim/[email protected] · GitHub | github.com text/html |
MISC github.com/vim/vim/commit/d88934406c5375d88f8f1b65331c9f0cab68cc6c |
| Use after free in append_command vulnerability found in vim | huntr.dev text/html |
CONFIRM huntr.dev/bounties/40f1d75f-fb2f-4281-b585-a41017f217e2 |
| [SECURITY] Fedora 35 Update: vim-8.2.4927-1.fc35 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org text/html |
FEDORA FEDORA-2022-f0db3943d9 |
| Full Disclosure: APPLE-SA-2022-10-24-2 macOS Ventura 13 | seclists.org text/html |
FULLDISC 20221030 APPLE-SA-2022-10-24-2 macOS Ventura 13 |
Related QID Numbers
- 179292 Debian Security Update for vim (DLA 3011-1)
- 181198 Debian Security Update for vim (DLA 3182-1)
- 198939 Ubuntu Security Notification for Vim Vulnerabilities (USN-5613-1)
- 282670 Fedora Security Update for vim (FEDORA-2022-f0db3943d9)
- 282699 Fedora Security Update for vim (FEDORA-2022-8df66cdbef)
- 282700 Fedora Security Update for vim (FEDORA-2022-e92c3ce170)
- 296082 Oracle Solaris 11.4 Support Repository Update (SRU) 48.126.1 Missing (CPUJUL2022)
- 354009 Amazon Linux Security Advisory for vim : ALAS2-2022-1829
- 354033 Amazon Linux Security Advisory for vim : ALAS-2022-1628
- 354356 Amazon Linux Security Advisory for vim : ALAS2022-2022-116
- 354497 Amazon Linux Security Advisory for vim : ALAS2022-2022-155
- 354585 Amazon Linux Security Advisory for vim : ALAS-2022-155
- 355135 Amazon Linux Security Advisory for vim : ALAS2023-2023-098
- 671882 EulerOS Security Update for vim (EulerOS-SA-2022-1953)
- 671907 EulerOS Security Update for vim (EulerOS-SA-2022-1984)
- 671935 EulerOS Security Update for vim (EulerOS-SA-2022-2014)
- 671979 EulerOS Security Update for vim (EulerOS-SA-2022-2173)
- 671980 EulerOS Security Update for vim (EulerOS-SA-2022-2148)
- 672048 EulerOS Security Update for vim (EulerOS-SA-2022-2282)
- 672223 EulerOS Security Update for vim (EulerOS-SA-2022-2639)
- 710607 Gentoo Linux Vim, gVim Multiple Vulnerabilities (GLSA 202208-32)
- 710718 Gentoo Linux Vim, gVim Multiple Vulnerabilities (GLSA 202305-16)
- 752246 SUSE Enterprise Linux Security Update for vim (SUSE-SU-2022:2102-1)
- 753066 SUSE Enterprise Linux Security Update for vim (SUSE-SU-2022:4619-1)
- 901580 Common Base Linux Mariner (CBL-Mariner) Security Update for vim (9740)
- 901727 Common Base Linux Mariner (CBL-Mariner) Security Update for vim (9737)
- 902071 Common Base Linux Mariner (CBL-Mariner) Security Update for vim (9737-1)
- 902203 Common Base Linux Mariner (CBL-Mariner) Security Update for vim (9740-1)
Exploit/POC from Github
Use after free in append_command in GitHub repository vim/vim prior to 8.2.4895. This vulnerability is capable of cra…
Known Affected Configurations (CPE V2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Apple | Macos | All | All | All | All |
| Operating System | Debian | Debian Linux | 10.0 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Operating System | Fedoraproject | Fedora | 34 | All | All | All |
| Operating System | Fedoraproject | Fedora | 35 | All | All | All |
| Operating System | Fedoraproject | Fedora | 36 | All | All | All |
| Application | Vim | Vim | All | All | All | All |
- cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*:
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*:
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*:
- cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*:
- cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*:
- cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*:
- cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*:
No vendor comments have been submitted for this CVE
Social Mentions
| Source | Title | Posted (UTC) |
|---|---|---|
 @huntrHacktivity |
Use After Free in github.com/vim/vim (CVE-2022-1616) reported by @aldothecrott - Patch:… twitter.com/i/web/status/1… | 2022-05-06 20:01:48 |
| @CVEreport |
CVE-2022-1616 : Use after free in append_command in GitHub repository vim/vim prior to 8.2. This vulnerability is c… twitter.com/i/web/status/1… | 2022-05-07 19:13:20 |
 /r/netcve |
CVE-2022-1616 | 2022-05-07 20:38:50 |
| /r/k12cybersecurity |
MS-ISAC CYBERSECURITY ADVISORY - Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution - PATCH: NOW | 2022-10-27 12:48:22 |