Vendor CVEs
Exim
All CVEs
76 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-28021 | 0.00 | — | 0.04 | May 6, 2021 | Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. An authenticated remote SMTP client can insert newline characters into a spool file (which indirectly leads to remote code execution as root) via AUTH= in a MAIL FROM command. | |||
| CVE-2020-28019 | 0.00 | — | 0.61 | May 6, 2021 | Exim 4 before 4.94.2 has Improper Initialization that can lead to recursion-based stack consumption or other consequences. This occurs because use of certain getc functions is mishandled when a client uses BDAT instead of DATA. | |||
| CVE-2020-28017 | 0.00 | — | 0.36 | May 6, 2021 | Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow in receive_add_recipient via an e-mail message with fifty million recipients. NOTE: remote exploitation may be difficult because of resource consumption. | |||
| CVE-2020-28016 | 0.00 | — | 0.00 | May 6, 2021 | Exim 4 before 4.94.2 allows an off-by-two Out-of-bounds Write because "-F ''" is mishandled by parse_fix_phrase. | |||
| CVE-2020-28015 | 0.00 | — | 0.00 | May 6, 2021 | Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. Local users can alter the behavior of root processes because a recipient address can have a newline character. | |||
| CVE-2020-28014 | 0.00 | — | 0.01 | May 6, 2021 | Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. The -oP option is available to the exim user, and allows a denial of service because root-owned files can be overwritten. | |||
| CVE-2020-28013 | 0.00 | — | 0.00 | May 6, 2021 | Exim 4 before 4.94.2 allows Heap-based Buffer Overflow because it mishandles "-F '.('" on the command line, and thus may allow privilege escalation from any user to root. This occurs because of the interpretation of negative sizes in strncpy. | |||
| CVE-2020-28012 | 0.00 | — | 0.00 | May 6, 2021 | Exim 4 before 4.94.2 allows Exposure of File Descriptor to Unintended Control Sphere because rda_interpret uses a privileged pipe that lacks a close-on-exec flag. | |||
| CVE-2020-28011 | 0.00 | — | 0.00 | May 6, 2021 | Exim 4 before 4.94.2 allows Heap-based Buffer Overflow in queue_run via two sender options: -R and -S. This may cause privilege escalation from exim to root. | |||
| CVE-2020-28010 | 0.00 | — | 0.00 | May 6, 2021 | Exim 4 before 4.94.2 allows Out-of-bounds Write because the main function, while setuid root, copies the current working directory pathname into a buffer that is too small (on some common platforms). | |||
| CVE-2020-28009 | 0.00 | — | 0.00 | May 6, 2021 | Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow because get_stdinput allows unbounded reads that are accompanied by unbounded increases in a certain size variable. NOTE: exploitation may be impractical because of the execution time needed to overflow (multiple… | |||
| CVE-2020-28008 | 0.00 | — | 0.00 | May 6, 2021 | Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim operates as root in the spool directory (owned by a non-root user), an attacker can write to a /var/spool/exim4/input spool header file, in which a crafted recipient address can indirectly lead to… | |||
| CVE-2020-28007 | 0.00 | — | 0.01 | May 6, 2021 | Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim operates as root in the log directory (owned by a non-root user), a symlink or hard link attack allows overwriting critical root-owned files anywhere on the filesystem. | |||
| CVE-2020-12783 | 0.00 | — | 0.04 | May 11, 2020 | Exim through 4.93 has an out-of-bounds read in the SPA authenticator that could result in SPA/NTLM authentication bypass in auths/spa.c and auths/auth-spa.c. | |||
| CVE-2020-8015 | 0.00 | — | 0.01 | Apr 2, 2020 | A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of exim in openSUSE Factory allows local attackers to escalate from user mail to root. This issue affects: openSUSE Factory exim versions prior to 4.93.0.4-3.1. | |||
| CVE-2015-9287 | 0.00 | — | 0.02 | May 13, 2019 | Directory Traversal was discovered in University of Cambridge mod_ucam_webauth before 2.0.2. The key identification field ("kid") of the IdP's HTTP response message ("WLS-Response") can be manipulated by an attacker. The "kid" field is not signed like the rest of the message,… | |||
| CVE-2014-2972 | 0.00 | — | 0.00 | Sep 4, 2014 | expand.c in Exim before 4.83 expands mathematical comparisons twice, which allows local users to gain privileges and execute arbitrary commands via a crafted lookup value. | |||
| CVE-2014-2957 | 0.00 | — | 0.05 | Sep 4, 2014 | The dmarc_process function in dmarc.c in Exim before 4.82.1, when EXPERIMENTAL_DMARC is enabled, allows remote attackers to execute arbitrary code via the From header in an email, which is passed to the expand_string function. | |||
| CVE-2011-1764 | 0.00 | — | 0.04 | Oct 5, 2011 | Format string vulnerability in the dkim_exim_verify_finish function in src/dkim.c in Exim before 4.76 might allow remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via format string specifiers in data used in DKIM logging, as demonstrated by… | |||
| CVE-2011-1407 | 0.00 | — | 0.04 | May 16, 2011 | The DKIM implementation in Exim 4.7x before 4.76 permits matching for DKIM identities to apply to lookup items, instead of only strings, which allows remote attackers to execute arbitrary code or access a filesystem via a crafted identity. | |||
| CVE-2011-0017 | 0.00 | — | 0.00 | Feb 2, 2011 | The open_log function in log.c in Exim 4.72 and earlier does not check the return value from (1) setuid or (2) setgid system calls, which allows local users to append log data to arbitrary files via a symlink attack. | |||
| CVE-2010-2024 | 0.00 | — | 0.00 | Jun 7, 2010 | transports/appendfile.c in Exim before 4.72, when MBX locking is enabled, allows local users to change permissions of arbitrary files or create arbitrary files, and cause a denial of service or possibly gain privileges, via a symlink attack on a lockfile in /tmp/. | |||
| CVE-2010-2023 | 0.00 | — | 0.00 | Jun 7, 2010 | transports/appendfile.c in Exim before 4.72, when a world-writable sticky-bit mail directory is used, does not verify the st_nlink field of mailbox files, which allows local users to cause a denial of service or possibly gain privileges by creating a hard link to another user's… | |||
| CVE-2005-0022 | 0.00 | — | 0.01 | May 2, 2005 | Buffer overflow in the spa_base64_to_bits function in Exim before 4.43, as originally obtained from Samba code, and as called by the auth_spa_client function, may allow attackers to execute arbitrary code during SPA authentication. | |||
| CVE-2003-0743 | 0.00 | — | 0.06 | Oct 20, 2003 | Heap-based buffer overflow in smtp_in.c for Exim 3 (exim3) before 3.36 and Exim 4 (exim4) before 4.21 may allow remote attackers to execute arbitrary code via an invalid (1) HELO or (2) EHLO argument with a large number of spaces followed by a NULL character and a newline, which… | |||
| CVE-2002-0274 | 0.00 | — | 0.00 | May 31, 2002 | Exim 3.34 and earlier may allow local users to gain privileges via a buffer overflow in long -C (configuration file) and other command line arguments. |
- CVE-2020-28021May 6, 2021risk 0.00cvss —epss 0.04
Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. An authenticated remote SMTP client can insert newline characters into a spool file (which indirectly leads to remote code execution as root) via AUTH= in a MAIL FROM command.
- CVE-2020-28019May 6, 2021risk 0.00cvss —epss 0.61
Exim 4 before 4.94.2 has Improper Initialization that can lead to recursion-based stack consumption or other consequences. This occurs because use of certain getc functions is mishandled when a client uses BDAT instead of DATA.
- CVE-2020-28017May 6, 2021risk 0.00cvss —epss 0.36
Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow in receive_add_recipient via an e-mail message with fifty million recipients. NOTE: remote exploitation may be difficult because of resource consumption.
- CVE-2020-28016May 6, 2021risk 0.00cvss —epss 0.00
Exim 4 before 4.94.2 allows an off-by-two Out-of-bounds Write because "-F ''" is mishandled by parse_fix_phrase.
- CVE-2020-28015May 6, 2021risk 0.00cvss —epss 0.00
Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. Local users can alter the behavior of root processes because a recipient address can have a newline character.
- CVE-2020-28014May 6, 2021risk 0.00cvss —epss 0.01
Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. The -oP option is available to the exim user, and allows a denial of service because root-owned files can be overwritten.
- CVE-2020-28013May 6, 2021risk 0.00cvss —epss 0.00
Exim 4 before 4.94.2 allows Heap-based Buffer Overflow because it mishandles "-F '.('" on the command line, and thus may allow privilege escalation from any user to root. This occurs because of the interpretation of negative sizes in strncpy.
- CVE-2020-28012May 6, 2021risk 0.00cvss —epss 0.00
Exim 4 before 4.94.2 allows Exposure of File Descriptor to Unintended Control Sphere because rda_interpret uses a privileged pipe that lacks a close-on-exec flag.
- CVE-2020-28011May 6, 2021risk 0.00cvss —epss 0.00
Exim 4 before 4.94.2 allows Heap-based Buffer Overflow in queue_run via two sender options: -R and -S. This may cause privilege escalation from exim to root.
- CVE-2020-28010May 6, 2021risk 0.00cvss —epss 0.00
Exim 4 before 4.94.2 allows Out-of-bounds Write because the main function, while setuid root, copies the current working directory pathname into a buffer that is too small (on some common platforms).
- CVE-2020-28009May 6, 2021risk 0.00cvss —epss 0.00
Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow because get_stdinput allows unbounded reads that are accompanied by unbounded increases in a certain size variable. NOTE: exploitation may be impractical because of the execution time needed to overflow (multiple…
- CVE-2020-28008May 6, 2021risk 0.00cvss —epss 0.00
Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim operates as root in the spool directory (owned by a non-root user), an attacker can write to a /var/spool/exim4/input spool header file, in which a crafted recipient address can indirectly lead to…
- CVE-2020-28007May 6, 2021risk 0.00cvss —epss 0.01
Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim operates as root in the log directory (owned by a non-root user), a symlink or hard link attack allows overwriting critical root-owned files anywhere on the filesystem.
- CVE-2020-12783May 11, 2020risk 0.00cvss —epss 0.04
Exim through 4.93 has an out-of-bounds read in the SPA authenticator that could result in SPA/NTLM authentication bypass in auths/spa.c and auths/auth-spa.c.
- CVE-2020-8015Apr 2, 2020risk 0.00cvss —epss 0.01
A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of exim in openSUSE Factory allows local attackers to escalate from user mail to root. This issue affects: openSUSE Factory exim versions prior to 4.93.0.4-3.1.
- CVE-2015-9287May 13, 2019risk 0.00cvss —epss 0.02
Directory Traversal was discovered in University of Cambridge mod_ucam_webauth before 2.0.2. The key identification field ("kid") of the IdP's HTTP response message ("WLS-Response") can be manipulated by an attacker. The "kid" field is not signed like the rest of the message,…
- CVE-2014-2972Sep 4, 2014risk 0.00cvss —epss 0.00
expand.c in Exim before 4.83 expands mathematical comparisons twice, which allows local users to gain privileges and execute arbitrary commands via a crafted lookup value.
- CVE-2014-2957Sep 4, 2014risk 0.00cvss —epss 0.05
The dmarc_process function in dmarc.c in Exim before 4.82.1, when EXPERIMENTAL_DMARC is enabled, allows remote attackers to execute arbitrary code via the From header in an email, which is passed to the expand_string function.
- CVE-2011-1764Oct 5, 2011risk 0.00cvss —epss 0.04
Format string vulnerability in the dkim_exim_verify_finish function in src/dkim.c in Exim before 4.76 might allow remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via format string specifiers in data used in DKIM logging, as demonstrated by…
- CVE-2011-1407May 16, 2011risk 0.00cvss —epss 0.04
The DKIM implementation in Exim 4.7x before 4.76 permits matching for DKIM identities to apply to lookup items, instead of only strings, which allows remote attackers to execute arbitrary code or access a filesystem via a crafted identity.
- CVE-2011-0017Feb 2, 2011risk 0.00cvss —epss 0.00
The open_log function in log.c in Exim 4.72 and earlier does not check the return value from (1) setuid or (2) setgid system calls, which allows local users to append log data to arbitrary files via a symlink attack.
- CVE-2010-2024Jun 7, 2010risk 0.00cvss —epss 0.00
transports/appendfile.c in Exim before 4.72, when MBX locking is enabled, allows local users to change permissions of arbitrary files or create arbitrary files, and cause a denial of service or possibly gain privileges, via a symlink attack on a lockfile in /tmp/.
- CVE-2010-2023Jun 7, 2010risk 0.00cvss —epss 0.00
transports/appendfile.c in Exim before 4.72, when a world-writable sticky-bit mail directory is used, does not verify the st_nlink field of mailbox files, which allows local users to cause a denial of service or possibly gain privileges by creating a hard link to another user's…
- CVE-2005-0022May 2, 2005risk 0.00cvss —epss 0.01
Buffer overflow in the spa_base64_to_bits function in Exim before 4.43, as originally obtained from Samba code, and as called by the auth_spa_client function, may allow attackers to execute arbitrary code during SPA authentication.
- CVE-2003-0743Oct 20, 2003risk 0.00cvss —epss 0.06
Heap-based buffer overflow in smtp_in.c for Exim 3 (exim3) before 3.36 and Exim 4 (exim4) before 4.21 may allow remote attackers to execute arbitrary code via an invalid (1) HELO or (2) EHLO argument with a large number of spaces followed by a NULL character and a newline, which…
- CVE-2002-0274May 31, 2002risk 0.00cvss —epss 0.00
Exim 3.34 and earlier may allow local users to gain privileges via a buffer overflow in long -C (configuration file) and other command line arguments.
Page 2 of 2