Improper Data Handling

Affecting exim4 package, versions <4.89-2+deb9u5

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

Exim 4.85 through 4.92 (fixed in 4.92.1) allows remote code execution as root in some unusual configurations that use the ${sort } expansion for items that can be controlled by an attacker (e.g., $local_part or $domain).

References

CVSS Score

9.8
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE
CVE-2019-13917
CWE
CWE-19
Snyk ID
SNYK-DEBIAN9-EXIM4-453442
Disclosed
25 Jul, 2019
Published
24 Jul, 2019