CVE-2017-17087
vim - security update
5.5
MEDIUM
CVSS 3.1
EPSS 0.14%
Description
fileio.c in Vim prior to 8.0.1263 sets the group ownership of a .swp file to the editor's primary group (which may be different from the group ownership of the original file), which allows local users to obtain sensitive information by leveraging an applicable group membership, as demonstrated by /etc/shadow owned by root:shadow mode 0640, but /etc/.shadow.swp owned by root:users mode 0640, a different vulnerability than CVE-2017-1000382.
How to fix CVE-2017-17087
To remediate CVE-2017-17087, upgrade the affected package to a fixed version below.
- —upgrade to 2:8.0.1401-1 or later
- —upgrade to 2:8.0.0197-4+deb9u4 or later
Is CVE-2017-17087 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 2:8.0.1401-1
- from 0, < 2:8.0.0197-4+deb9u4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.5 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |