cpe:2.3:a:exim:exim:2.11:*:*:*:*:*:*:*
Exim before 4.97.1 allows SMTP smuggling in certain PIPELINING/CHUNKING configurations. Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Exim supports <LF>.<CR><LF> but some other popular e-mail servers do not.
Max CVSS
5.3
EPSS Score
0.28%
Published
2023-12-24
Updated
2024-02-02
Exim before 4.95 has a heap-based buffer overflow for the alias list in host_name_lookup in host.c when sender_host_name is set.
Max CVSS
9.8
EPSS Score
0.47%
Published
2022-08-07
Updated
2022-10-28
Exim before 4.96 has an invalid free in pam_converse in auths/call_pam.c because store_free is not used after store_malloc.
Max CVSS
7.5
EPSS Score
0.37%
Published
2022-08-06
Updated
2022-09-29
The STARTTLS feature in Exim through 4.94.2 allows response injection (buffering) during MTA SMTP sending.
Max CVSS
7.5
EPSS Score
0.20%
Published
2021-08-10
Updated
2021-08-20
Exim 4 before 4.94.2 has Execution with Unnecessary Privileges. By leveraging a delete_pid_file race condition, a local user can delete arbitrary files as root. This involves the -oP and -oPX options.
Max CVSS
6.3
EPSS Score
0.04%
Published
2021-05-06
Updated
2022-06-28
Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow in receive_add_recipient via an e-mail message with fifty million recipients. NOTE: remote exploitation may be difficult because of resource consumption.
Max CVSS
9.8
EPSS Score
0.25%
Published
2021-05-06
Updated
2022-10-04
Exim through 4.93 has an out-of-bounds read in the SPA authenticator that could result in SPA/NTLM authentication bypass in auths/spa.c and auths/auth-spa.c.
Max CVSS
7.5
EPSS Score
0.27%
Published
2020-05-11
Updated
2022-11-16
A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of exim in openSUSE Factory allows local attackers to escalate from user mail to root. This issue affects: openSUSE Factory exim versions prior to 4.93.0.4-3.1.
Max CVSS
8.4
EPSS Score
0.04%
Published
2020-04-02
Updated
2020-11-20
Exim before 4.92.2 allows remote attackers to execute arbitrary code as root via a trailing backslash.
Max CVSS
10.0
EPSS Score
19.65%
Published
2019-09-06
Updated
2020-08-24

CVE-2018-6789

Known exploited
Used for ransomware
An issue was discovered in the base64d function in the SMTP listener in Exim before 4.90.1. By sending a handcrafted message, a buffer overflow may happen. This can be used to execute code remotely.
Max CVSS
9.8
EPSS Score
96.76%
Published
2018-02-08
Updated
2021-06-03
CISA KEV Added
2021-11-03
Exim supports the use of multiple "-p" command line arguments which are malloc()'ed and never free()'ed, used in conjunction with other issues allows attackers to cause arbitrary code execution. This affects exim version 4.89 and earlier. Please note that at this time upstream has released a patch (commit 65e061b76867a9ea7aeeb535341b790b90ae6c21), but it is not known if a new point release is available that addresses this issue at this time.
Max CVSS
4.0
EPSS Score
0.29%
Published
2017-06-19
Updated
2019-12-12
Exim before 4.87.1 might allow remote attackers to obtain the private DKIM signing key via vectors related to log files and bounce messages.
Max CVSS
5.9
EPSS Score
0.40%
Published
2017-02-01
Updated
2017-02-15

CVE-2016-1531

Public exploit
Exim before 4.86.2, when installed setuid root, allows local users to gain privileges via the perl_startup argument.
Max CVSS
7.0
EPSS Score
0.06%
Published
2016-04-07
Updated
2017-09-08
expand.c in Exim before 4.83 expands mathematical comparisons twice, which allows local users to gain privileges and execute arbitrary commands via a crafted lookup value.
Max CVSS
4.6
EPSS Score
0.04%
Published
2014-09-04
Updated
2016-12-03
The dmarc_process function in dmarc.c in Exim before 4.82.1, when EXPERIMENTAL_DMARC is enabled, allows remote attackers to execute arbitrary code via the From header in an email, which is passed to the expand_string function.
Max CVSS
6.8
EPSS Score
5.57%
Published
2014-09-04
Updated
2021-05-04
Format string vulnerability in the dkim_exim_verify_finish function in src/dkim.c in Exim before 4.76 might allow remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via format string specifiers in data used in DKIM logging, as demonstrated by an identity field containing a % (percent) character.
Max CVSS
7.5
EPSS Score
8.88%
Published
2011-10-05
Updated
2014-02-21
The open_log function in log.c in Exim 4.72 and earlier does not check the return value from (1) setuid or (2) setgid system calls, which allows local users to append log data to arbitrary files via a symlink attack.
Max CVSS
6.9
EPSS Score
0.04%
Published
2011-02-02
Updated
2017-08-17

CVE-2010-4345

Known exploited
Public exploit
Exim 4.72 and earlier allows local users to gain privileges by leveraging the ability of the exim user account to specify an alternate configuration file with a directive that contains arbitrary commands, as demonstrated by the spool_directory directive.
Max CVSS
6.9
EPSS Score
0.12%
Published
2010-12-14
Updated
2023-02-13
CISA KEV Added
2022-03-25

CVE-2010-4344

Known exploited
Public exploit
Heap-based buffer overflow in the string_vformat function in string.c in Exim before 4.70 allows remote attackers to execute arbitrary code via an SMTP session that includes two MAIL commands in conjunction with a large message containing crafted headers, leading to improper rejection logging.
Max CVSS
9.3
EPSS Score
93.07%
Published
2010-12-14
Updated
2023-02-13
CISA KEV Added
2022-03-25
transports/appendfile.c in Exim before 4.72, when MBX locking is enabled, allows local users to change permissions of arbitrary files or create arbitrary files, and cause a denial of service or possibly gain privileges, via a symlink attack on a lockfile in /tmp/.
Max CVSS
4.4
EPSS Score
0.04%
Published
2010-06-07
Updated
2018-10-10
transports/appendfile.c in Exim before 4.72, when a world-writable sticky-bit mail directory is used, does not verify the st_nlink field of mailbox files, which allows local users to cause a denial of service or possibly gain privileges by creating a hard link to another user's file.
Max CVSS
4.4
EPSS Score
0.04%
Published
2010-06-07
Updated
2018-10-10
21 vulnerabilities found
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!