Your submission was sent successfully! Close

CVE-2019-13917

Published: 25 July 2019

Exim 4.85 through 4.92 (fixed in 4.92.1) allows remote code execution as root in some unusual configurations that use the ${sort } expansion for items that can be controlled by an attacker (e.g., $local_part or $domain).

Notes

AuthorNote
mdeslaur
remote or local code execution as root with non-default configuration
Priority

Medium

CVSS 3 base score: 9.8

Status

Package Release Status
exim4
Launchpad, Ubuntu, Debian
bionic
Released (4.90.1-1ubuntu1.3)
disco
Released (4.92-4ubuntu1.2)
precise Does not exist

trusty Not vulnerable

upstream Needs triage

xenial
Released (4.86.2-2ubuntu2.4)