{
  "threat_severity" : "Low",
  "public_date" : "2021-10-26T00:00:00Z",
  "bugzilla" : {
    "description" : "vim: heap-based buffer overflow in gchar_cursor() in misc1.c",
    "id" : "2021290",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2021290"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-119",
  "details" : [ "vim is vulnerable to Heap-based Buffer Overflow", "A flaw was found in vim. A possible heap-based buffer overflow could allow an attacker to input a specially crafted file leading to a crash or code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability." ],
  "statement" : "This vulnerability can only be exloited if the victim opens a specifically crafter file that will cause the heap to overflow. Considering the mitigations like ASLR available in the Linux kernel and the user interaction required, RH ProdSec has set the Impact of this vulnerability to \"Low\"",
  "package_state" : [ {
    "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2",
    "fix_state" : "Not affected",
    "package_name" : "rhacm2/openshift-hive-rhel8",
    "cpe" : "cpe:/a:redhat:acm:2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "vim",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "vim",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "vim",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "vim",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-3927\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-3927" ],
  "name" : "CVE-2021-3927",
  "mitigation" : {
    "value" : "Do not run untrusted vim scripts with -s {scriptin} as it is never safe to do so.",
    "lang" : "en:us"
  },
  "csaw" : false
}