Support Content Notification - Support Portal

Path traversal issues in Vims tar.vim and zip.vim plugins

Product/Component

Brocade ASC-Gateway OVA

3 more products

Notification Id

37152

Last Updated

03 March 2026

Initial Publication Date

03 March 2026

Status

CLOSED

Severity

LOW

CVSS Base Score

4.1

WorkAround

Affected CVE

CVE-2025-53905, CVE-2025-53906

Brocade Security Advisory ID	BSA-2026-3187
Component	Vim

Summary

CVE-2025-53905

Vim is an open source, command line text editor. Prior to version 9.1.1552, a path traversal issue in Vim’s tar.vim plugin can allow overwriting of arbitrary files when opening specially crafted tar archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system.

CVE-2025-53906

Vim is an open source, command line text editor. Prior to version 9.1.1551, a path traversal issue in Vim’s zip.vim plugin can allow overwriting of arbitrary files when opening specially crafted zip archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system.

Products Affected

No Brocade products are affected

Products Not Affected

Brocade Fabric OS
[VEX Justification: Component_not_present]
Brocade SANnav
[VEX Justification: Code_not_present]
Brocade ASCG
[VEX Justification: Vulnerable_code_not_in_execute_path]

Solution

While not exploitable, security update provided in Brocade SANnav 3.0.0
While not exploitable, security update provided in Brocade ASCG 3.4.0

Revision History

Version	Change	Date
1.0	Initial Publication	March 3, 2026

Disclaimer

THIS DOCUMENT IS PROVIDED ON AN AS-IS BASIS SOLELY FOR INFORMATIONAL PURPOSES AND DOES NOT IMPLY ANY KIND OF GUARANTY OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOUR USE OF THE INFORMATION CONTAINED HEREIN IS AT YOUR OWN RISK. ALL INFORMATION PROVIDED HEREIN IS BASED ON BROCADE'S CURRENT KNOWLEDGE AND UNDERSTANDING OF THE VULNERABILITY AND IMPACT TO BROCADE HARDWARE AND SOFTWARE PRODUCTS. BROCADE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.