Medium severity5.5NVD Advisory· Published Dec 1, 2017· Updated May 13, 2026

CVE-2017-17087

Description

fileio.c in Vim prior to 8.0.1263 sets the group ownership of a .swp file to the editor's primary group (which may be different from the group ownership of the original file), which allows local users to obtain sensitive information by leveraging an applicable group membership, as demonstrated by /etc/shadow owned by root:shadow mode 0640, but /etc/.shadow.swp owned by root:users mode 0640, a different vulnerability than CVE-2017-1000382.

Affected products

Vim/Vim
cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*
Range: <8.0.1263
Canonical (company)/Ubuntu Linux2 versions
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*+ 1 more
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
Debian/Debian Linux2 versions
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/vim/vim/commit/5a73e0ca54c77e067c3b12ea6f35e3e8681e8cf8nvdPatchThird Party Advisory
security.cucumberlinux.com/security/details.phpnvdIssue TrackingThird Party Advisory
groups.google.com/d/msg/vim_dev/sRT9BtjLWMk/BRtSXNU4BwAJnvdIssue TrackingMailing ListThird Party Advisory
lists.debian.org/debian-lts-announce/2019/08/msg00003.htmlnvdMailing ListThird Party Advisory
lists.debian.org/debian-lts-announce/2022/01/msg00003.htmlnvdMailing ListThird Party Advisory
usn.ubuntu.com/4582-1/nvdThird Party Advisory
openwall.com/lists/oss-security/2017/11/27/2nvdMailing List

News mentions

No linked articles in our index yet.

cvss	0.358
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000