It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2022-2022-116 advisory.

    A heap buffer over-read vulnerability was found in Vim's grab_file_name() function of the src/findfile.c     file. This flaw occurs because the function reads after the NULL terminates the line with gf in Visual     block mode. This flaw allows an attacker to trick a user into opening a specially crafted file, triggering     a heap buffer over-read vulnerability that causes an application to crash and corrupt memory.
    (CVE-2022-1720)

    A flaw was found in vim. The vulnerability occurs due to Illegal memory access and leads to an out-of-     bounds write vulnerability in the ex_cmds function. This flaw allows an attacker to input a specially     crafted file, leading to a crash or code execution. (CVE-2022-1785)

    A flaw was found in vim. The vulnerability occurs due to Illegal memory access and leads to a use after     free vulnerability. This flaw allows an attacker to input a specially crafted file, leading to a crash or     code execution. (CVE-2022-1796)

    A flaw was found in vim. The vulnerability occurs due to Illegal memory access and leads to an out-of-     bounds read vulnerability in the gchar_cursor function. This flaw allows an attacker to input a specially     crafted file, leading to a crash or code execution. (CVE-2022-1851)

    A heap buffer overflow flaw was found in Vim's utf_head_off() function in the mbyte.c file. This flaw     allows an attacker to trick a user into opening a specially crafted file, triggering a heap buffer     overflow that causes an application to crash, leading to a denial of service and possibly some amount of     memory leak. (CVE-2022-1886)

    A flaw was found in vim. The vulnerability occurs due to Illegal memory access and leads to an out-of-     bounds write vulnerability in the vim_regsub_both function. This flaw allows an attacker to input a     specially crafted file, leading to a crash or code execution. (CVE-2022-1897)

    A flaw was found in vim. The vulnerability occurs due to Illegal memory access and leads to a use-after-     free vulnerability in the find_pattern_in_path function. This flaw allows an attacker to input a specially     crafted file, leading to a crash or code execution. (CVE-2022-1898)

    A flaw was found in vim. The vulnerability occurs due to Illegal memory access and leads to a buffer over-     read vulnerability in the utf_ptr2char function. This flaw allows an attacker to input a specially crafted     file, leading to a crash or code execution. (CVE-2022-1927)

    An out-of-bounds write vulnerability was found in Vim's vim_regsub_both() function in the src/regexp.c     file. The flaw can open a command-line window from a substitute expression when a text or buffer is     locked. This flaw allows an attacker to trick a user into opening a specially crafted file, triggering an     out-of-bounds write that causes an application to crash, possibly reading and modifying some amount of     memory contents. (CVE-2022-1942)

    A flaw was found in vim. The vulnerability occurs due to Illegal memory access and leads to a use-after-     free vulnerability in the utf_ptr2char function. This flaw allows an attacker to input a specially crafted     file, leading to a crash or code execution. (CVE-2022-1968)

    An out-of-bounds write vulnerability was found in Vim's append_command() function of the src/ex_docmd.c     file. This issue occurs when an error for a command goes over the end of IObuff. This flaw allows an     attacker to trick a user into opening a specially crafted file, triggering a heap buffer overflow that     causes an application to crash and corrupt memory. (CVE-2022-2000)

    A heap use-after-free vulnerability was found in Vim's skipwhite() function of the src/charset.c file.
    This flaw occurs because of an uninitialized attribute value and freed memory in the spell command. This     flaw allows an attacker to trick a user into opening a specially crafted file, triggering a heap use-     after-free that causes an application to crash and corrupt memory. (CVE-2022-2042)

    Buffer Over-read in GitHub repository vim/vim prior to 8.2. (CVE-2022-2124)

    Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. (CVE-2022-2125)

    Out-of-bounds Read in GitHub repository vim/vim prior to 8.2. (CVE-2022-2126)

    Out-of-bounds Write in GitHub repository vim/vim prior to 8.2. (CVE-2022-2129)

    A heap buffer over-read vulnerability was found in Vim's put_on_cmdline() function of the src/ex_getln.c     file. This issue occurs due to invalid memory access when using an expression on the command line. This     flaw allows an attacker to trick a user into opening a specially crafted file, triggering a heap buffer     overflow that causes an application to crash and corrupt memory. (CVE-2022-2175)

    Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. (CVE-2022-2182)

    Out-of-bounds Read in GitHub repository vim/vim prior to 8.2. (CVE-2022-2183)

    Out-of-bounds Read in GitHub repository vim/vim prior to 8.2. (CVE-2022-2206)

    Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. (CVE-2022-2207)

    NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2.5163. (CVE-2022-2208)

    Out-of-bounds Write in GitHub repository vim/vim prior to 8.2. (CVE-2022-2210)

    NULL Pointer Dereference in GitHub repository vim/vim prior to 8.2. (CVE-2022-2231)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Amazon Linux 2022 : vim-common, vim-data, vim-default-editor (ALAS2022-2022-116)

high Nessus Plugin ID 164766

Version 1.10

Version 1.9

Version 1.8

Version 1.7

Version 1.6

Version 1.5

Version 1.4

Version 1.10 Dec 12, 2024, 9:55 AM CVSS metrics ("Cvssv4 score" set to 0.0) CVSSv2 severity (based on None, severity decreased from "High" to "Low") Detection (updated detection logic) Plugin metadata Plugin Feed: 202412120955
Version 1.9 Oct 12, 2023, 2:08 PM CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:POC/RL:OF/RC:C". "CVSSv3 temporal vector" set to "CVSS:3.0/E:P/RL:O/RC:C") CVSSv3 score source (set to "CVE-2022-2210") Exploit attributes ("Exploit available" set to "True". "Exploitability ease" changed from "No known exploits are available" to "Exploits are available") Plugin Feed: 202310121408
Version 1.8 Mar 27, 2023, 6:02 PM IAVM reference Plugin Feed: 202303271802
Version 1.7 Mar 10, 2023, 10:21 AM IAVM reference Plugin Feed: 202303101021
Version 1.6 Dec 15, 2022, 4:16 PM IAVM reference Plugin Feed: 202212151616
Version 1.5 Nov 21, 2022, 1:49 PM CVSS metrics CVSSv2 severity (Based on CVE-2022-2210 severity decreased from High to Medium) CVSSv3 score source (Changed from None to CVE-2022-2210) Plugin Feed: 202211211349
Version 1.4 Nov 17, 2022, 9:58 PM IAVM reference STIG Severity Plugin Feed: 202211172158