PT-2019-16009 · Exim+1 · Sa-Exim+1
Henrik Krohns
·
Published
2019-12-22
·
Updated
2022-12-14
·
CVE-2019-19920
CVSS v2.0
9.0
High
| Vector | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
sa-exim version 4.2.1
Description
The issue allows attackers to execute arbitrary code if they can write a .cf file or a rule. This occurs because Greylisting.pm relies on
eval rather than direct parsing and/or use of the taint feature.Recommendations
For sa-exim version 4.2.1, consider disabling the use of
eval in Greylisting.pm or restrict access to writing .cf files and rules until a patch is available.Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ubuntu
Sa-Exim