CVE-2019-13917

Published: 25 July 2019

Exim 4.85 through 4.92 (fixed in 4.92.1) allows remote code execution as root in some unusual configurations that use the ${sort } expansion for items that can be controlled by an attacker (e.g., $local_part or $domain).

Priority

Medium

CVSS 3 base score: 9.8

Status

Package Release Status
exim4
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 18.04 LTS (Bionic Beaver)
Released (4.90.1-1ubuntu1.3)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (4.86.2-2ubuntu2.4)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable