CVE-2008-4677
Vim Netrw Plugin < 133k - FTP Credential Reuse Across Hosts
Title source: llmDescription
autoload/netrw.vim (aka the Netrw Plugin) 109, 131, and other versions before 133k for Vim 7.1.266, other 7.1 versions, and 7.2 stores credentials for an FTP session, and sends those credentials when attempting to establish subsequent FTP sessions to servers on different hosts, which allows remote FTP servers to obtain sensitive information in opportunistic circumstances by logging usernames and passwords. NOTE: the upstream vendor disputes a vector involving different ports on the same host, stating "I'm assuming that they're using the same id and password on that unchanged hostname, deliberately."
References (15)
Core 15
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/30670
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00004.html
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/31464
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=461750
Mailing List mailing-list
x_refsource_mlist
http://groups.google.com/group/vim_dev/browse_thread/thread/2f6fad581a037971/a5fcf4c4981d34e6?show_docid=a5fcf4c4981d34e6
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2008/10/20/2
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2008/10/16/2
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/495436
Third Party Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2008/2379
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/34418
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2008/10/06/4
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/495432
Vendor Advisory vendor-advisory
x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2008:236
Various Sources x_refsource_misc
http://www.rdancer.org/vulnerablevim-netrw-credentials-dis.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/44419
Scores
EPSS
0.0093
EPSS Percentile
76.3%
Details
CWE
CWE-255
Status
published
Products (15)
vim/netrw
109
vim/netrw
110
vim/netrw
111
vim/netrw
112
vim/netrw
113
vim/netrw
114
vim/netrw
115
vim/netrw
116
vim/netrw
118
vim/netrw
120
... and 5 more
Published
Oct 22, 2008
Tracked Since
Feb 18, 2026