CVE-2023-4736: 
NixOS vulnerability analysis and mitigation

Untrusted Search Path vulnerability (CVE-2023-4736) was discovered in GitHub repository vim/vim prior to version 9.0.1833. The vulnerability was identified and disclosed in September 2023, affecting Vim text editor installations, particularly on Windows systems where the current directory is implicitly in the PATH (NVD, CVE).

The vulnerability is related to runtime files that may execute code from the current directory. This includes perl, zig and ruby filetype plugins and the zip and gzip autoload plugins that could potentially load malicious executable files from the current working directory. This is particularly problematic on Windows systems, where the current directory is implicitly in the PATH and Windows may execute files with extensions like .bat due to PATHEXT. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.8 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

If exploited, this vulnerability could allow execution of malicious code from the current directory, potentially leading to unauthorized code execution with elevated privileges. The vulnerability affects confidentiality, integrity, and availability, all rated as High in the CVSS scoring (NVD).

The vulnerability was patched in Vim version 9.0.1833. The fix ensures that files are not executed from the current directory by implementing checks on the execution path. For the zip and gzip plugins, the fix includes error messages when attempting to execute from the current directory, while for ftplugins, the commands are silently not run. Users are advised to upgrade to Vim version 9.0.1833 or later (Vim Commit).