VYPR

Vendor CVEs

Exim

All CVEs

76 total · sorted by risk
  • CVE-2020-28021May 6, 2021
    risk 0.00cvss epss 0.04

    Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. An authenticated remote SMTP client can insert newline characters into a spool file (which indirectly leads to remote code execution as root) via AUTH= in a MAIL FROM command.

  • CVE-2020-28019May 6, 2021
    risk 0.00cvss epss 0.61

    Exim 4 before 4.94.2 has Improper Initialization that can lead to recursion-based stack consumption or other consequences. This occurs because use of certain getc functions is mishandled when a client uses BDAT instead of DATA.

  • CVE-2020-28017May 6, 2021
    risk 0.00cvss epss 0.36

    Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow in receive_add_recipient via an e-mail message with fifty million recipients. NOTE: remote exploitation may be difficult because of resource consumption.

  • CVE-2020-28016May 6, 2021
    risk 0.00cvss epss 0.00

    Exim 4 before 4.94.2 allows an off-by-two Out-of-bounds Write because "-F ''" is mishandled by parse_fix_phrase.

  • CVE-2020-28015May 6, 2021
    risk 0.00cvss epss 0.00

    Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. Local users can alter the behavior of root processes because a recipient address can have a newline character.

  • CVE-2020-28014May 6, 2021
    risk 0.00cvss epss 0.01

    Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. The -oP option is available to the exim user, and allows a denial of service because root-owned files can be overwritten.

  • CVE-2020-28013May 6, 2021
    risk 0.00cvss epss 0.00

    Exim 4 before 4.94.2 allows Heap-based Buffer Overflow because it mishandles "-F '.('" on the command line, and thus may allow privilege escalation from any user to root. This occurs because of the interpretation of negative sizes in strncpy.

  • CVE-2020-28012May 6, 2021
    risk 0.00cvss epss 0.00

    Exim 4 before 4.94.2 allows Exposure of File Descriptor to Unintended Control Sphere because rda_interpret uses a privileged pipe that lacks a close-on-exec flag.

  • CVE-2020-28011May 6, 2021
    risk 0.00cvss epss 0.00

    Exim 4 before 4.94.2 allows Heap-based Buffer Overflow in queue_run via two sender options: -R and -S. This may cause privilege escalation from exim to root.

  • CVE-2020-28010May 6, 2021
    risk 0.00cvss epss 0.00

    Exim 4 before 4.94.2 allows Out-of-bounds Write because the main function, while setuid root, copies the current working directory pathname into a buffer that is too small (on some common platforms).

  • CVE-2020-28009May 6, 2021
    risk 0.00cvss epss 0.00

    Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow because get_stdinput allows unbounded reads that are accompanied by unbounded increases in a certain size variable. NOTE: exploitation may be impractical because of the execution time needed to overflow (multiple…

  • CVE-2020-28008May 6, 2021
    risk 0.00cvss epss 0.00

    Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim operates as root in the spool directory (owned by a non-root user), an attacker can write to a /var/spool/exim4/input spool header file, in which a crafted recipient address can indirectly lead to…

  • CVE-2020-28007May 6, 2021
    risk 0.00cvss epss 0.01

    Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim operates as root in the log directory (owned by a non-root user), a symlink or hard link attack allows overwriting critical root-owned files anywhere on the filesystem.

  • CVE-2020-12783May 11, 2020
    risk 0.00cvss epss 0.04

    Exim through 4.93 has an out-of-bounds read in the SPA authenticator that could result in SPA/NTLM authentication bypass in auths/spa.c and auths/auth-spa.c.

  • CVE-2020-8015Apr 2, 2020
    risk 0.00cvss epss 0.01

    A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of exim in openSUSE Factory allows local attackers to escalate from user mail to root. This issue affects: openSUSE Factory exim versions prior to 4.93.0.4-3.1.

  • CVE-2015-9287May 13, 2019
    risk 0.00cvss epss 0.02

    Directory Traversal was discovered in University of Cambridge mod_ucam_webauth before 2.0.2. The key identification field ("kid") of the IdP's HTTP response message ("WLS-Response") can be manipulated by an attacker. The "kid" field is not signed like the rest of the message,…

  • CVE-2014-2972Sep 4, 2014
    risk 0.00cvss epss 0.00

    expand.c in Exim before 4.83 expands mathematical comparisons twice, which allows local users to gain privileges and execute arbitrary commands via a crafted lookup value.

  • CVE-2014-2957Sep 4, 2014
    risk 0.00cvss epss 0.05

    The dmarc_process function in dmarc.c in Exim before 4.82.1, when EXPERIMENTAL_DMARC is enabled, allows remote attackers to execute arbitrary code via the From header in an email, which is passed to the expand_string function.

  • CVE-2011-1764Oct 5, 2011
    risk 0.00cvss epss 0.04

    Format string vulnerability in the dkim_exim_verify_finish function in src/dkim.c in Exim before 4.76 might allow remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via format string specifiers in data used in DKIM logging, as demonstrated by…

  • CVE-2011-1407May 16, 2011
    risk 0.00cvss epss 0.04

    The DKIM implementation in Exim 4.7x before 4.76 permits matching for DKIM identities to apply to lookup items, instead of only strings, which allows remote attackers to execute arbitrary code or access a filesystem via a crafted identity.

  • CVE-2011-0017Feb 2, 2011
    risk 0.00cvss epss 0.00

    The open_log function in log.c in Exim 4.72 and earlier does not check the return value from (1) setuid or (2) setgid system calls, which allows local users to append log data to arbitrary files via a symlink attack.

  • CVE-2010-2024Jun 7, 2010
    risk 0.00cvss epss 0.00

    transports/appendfile.c in Exim before 4.72, when MBX locking is enabled, allows local users to change permissions of arbitrary files or create arbitrary files, and cause a denial of service or possibly gain privileges, via a symlink attack on a lockfile in /tmp/.

  • CVE-2010-2023Jun 7, 2010
    risk 0.00cvss epss 0.00

    transports/appendfile.c in Exim before 4.72, when a world-writable sticky-bit mail directory is used, does not verify the st_nlink field of mailbox files, which allows local users to cause a denial of service or possibly gain privileges by creating a hard link to another user's…

  • CVE-2005-0022May 2, 2005
    risk 0.00cvss epss 0.01

    Buffer overflow in the spa_base64_to_bits function in Exim before 4.43, as originally obtained from Samba code, and as called by the auth_spa_client function, may allow attackers to execute arbitrary code during SPA authentication.

  • CVE-2003-0743Oct 20, 2003
    risk 0.00cvss epss 0.06

    Heap-based buffer overflow in smtp_in.c for Exim 3 (exim3) before 3.36 and Exim 4 (exim4) before 4.21 may allow remote attackers to execute arbitrary code via an invalid (1) HELO or (2) EHLO argument with a large number of spaces followed by a NULL character and a newline, which…

  • CVE-2002-0274May 31, 2002
    risk 0.00cvss epss 0.00

    Exim 3.34 and earlier may allow local users to gain privileges via a buffer overflow in long -C (configuration file) and other command line arguments.

Page 2 of 2