vulnerability
Oracle Linux: CVE-2019-20807: ELSA-2020-4453: vim security update (MODERATE)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:L/AC:L/Au:N/C:P/I:P/A:P) | Feb 8, 2020 | Nov 12, 2020 | Dec 3, 2025 |
Severity
5
CVSS
(AV:L/AC:L/Au:N/C:P/I:P/A:P)
Published
Feb 8, 2020
Added
Nov 12, 2020
Modified
Dec 3, 2025
Description
In Vim before 8.1.0881, users can circumvent the rvim restricted mode and execute arbitrary OS commands via scripting interfaces (e.g., Python, Ruby, or Lua).
A flaw was found in vim in the restricted mode, where all commands that make use of external shells are disabled. However, it was found that users could still execute some arbitrary OS commands in the restricted mode. This flaw was fixed by filtering the functions that can call OS commands. Interfaces such as Python, Ruby, and Lua, are also disabled, as they can be used to execute shell commands. Perl uses the Safe module.
A flaw was found in vim in the restricted mode, where all commands that make use of external shells are disabled. However, it was found that users could still execute some arbitrary OS commands in the restricted mode. This flaw was fixed by filtering the functions that can call OS commands. Interfaces such as Python, Ruby, and Lua, are also disabled, as they can be used to execute shell commands. Perl uses the Safe module.
Solutions
oracle-linux-upgrade-vim-commonoracle-linux-upgrade-vim-enhancedoracle-linux-upgrade-vim-filesystemoracle-linux-upgrade-vim-minimaloracle-linux-upgrade-vim-x11
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.