Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Exim
(Exim)| Repositories | https://github.com/Exim/exim |
| #Vulnerabilities | 52 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2014-09-04 | CVE-2014-2957 | The dmarc_process function in dmarc.c in Exim before 4.82.1, when EXPERIMENTAL_DMARC is enabled, allows remote attackers to execute arbitrary code via the From header in an email, which is passed to the expand_string function. | Exim | N/A | ||
| 2017-11-25 | CVE-2017-16944 | The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial of service (infinite loop and stack exhaustion) via vectors involving BDAT commands and an improper check for a '.' character signifying the end of the content, related to the bdat_getc function. | Debian_linux, Exim | 7.5 | ||
| 2017-11-25 | CVE-2017-16943 | The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via vectors involving BDAT commands. | Debian_linux, Exim | 9.8 | ||
| 2017-06-19 | CVE-2017-1000369 | Exim supports the use of multiple "-p" command line arguments which are malloc()'ed and never free()'ed, used in conjunction with other issues allows attackers to cause arbitrary code execution. This affects exim version 4.89 and earlier. Please note that at this time upstream has released a patch (commit 65e061b76867a9ea7aeeb535341b790b90ae6c21), but it is not known if a new point release is available that addresses this issue at this time. | Debian_linux, Exim | N/A | ||
| 2019-07-25 | CVE-2019-13917 | Exim 4.85 through 4.92 (fixed in 4.92.1) allows remote code execution as root in some unusual configurations that use the ${sort } expansion for items that can be controlled by an attacker (e.g., $local_part or $domain). | Debian_linux, Exim | 9.8 | ||
| 2017-02-01 | CVE-2016-9963 | Exim before 4.87.1 might allow remote attackers to obtain the private DKIM signing key via vectors related to log files and bounce messages. | Ubuntu_linux, Debian_linux, Exim | 5.9 | ||
| 2016-04-07 | CVE-2016-1531 | Exim before 4.86.2, when installed setuid root, allows local users to gain privileges via the perl_startup argument. | Exim | 7.0 | ||
| 2014-09-04 | CVE-2014-2972 | expand.c in Exim before 4.83 expands mathematical comparisons twice, which allows local users to gain privileges and execute arbitrary commands via a crafted lookup value. | Exim | N/A | ||
| 2012-10-31 | CVE-2012-5671 | Heap-based buffer overflow in the dkim_exim_query_dns_txt function in dkim.c in Exim 4.70 through 4.80, when DKIM support is enabled and acl_smtp_connect and acl_smtp_rcpt are not set to "warn control = dkim_disable_verify," allows remote attackers to execute arbitrary code via an email from a malicious DNS server. | Exim | N/A | ||
| 2011-10-05 | CVE-2011-1764 | Format string vulnerability in the dkim_exim_verify_finish function in src/dkim.c in Exim before 4.76 might allow remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via format string specifiers in data used in DKIM logging, as demonstrated by an identity field containing a % (percent) character. | Exim | N/A |