Exim
Known Exploited Exim Vulnerabilities
The following Exim vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Exim Privilege Escalation Vulnerability | Exim allows local users to gain privileges by leveraging the ability of the exim user account to specify an alternate configuration file with a directive that contains arbitrary commands. CVE-2010-4345 | March 25, 2022 |
| Exim Heap-Based Buffer Overflow Vulnerability | Heap-based buffer overflow in the string_vformat function in string.c in Exim before 4.70 allows remote attackers to execute arbitrary code via an SMTP session. CVE-2010-4344 | March 25, 2022 |
| Exim Buffer Overflow Vulnerability | Issue in the base64d function in the SMTP listener in Exim before 4.90.1. By sending a handcrafted message, a buffer overflow may happen. This can be used to execute code remotely. CVE-2018-6789 | November 3, 2021 |
By the Year
In 2024 there have been 0 vulnerabilities in Exim . Last year Exim had 1 security vulnerability published. Right now, Exim is on track to have less security vulnerabilities in 2024 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2024 | 0 | 0.00 |
| 2023 | 1 | 5.30 |
| 2022 | 4 | 8.65 |
| 2021 | 22 | 8.19 |
| 2020 | 1 | 7.50 |
| 2019 | 4 | 9.80 |
| 2018 | 1 | 9.80 |
It may take a day or so for new Exim vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Exim Security Vulnerabilities
Exim before 4.97.1 allows SMTP smuggling in certain PIPELINING/CHUNKING configurations
CVE-2023-51766
5.3 - Medium
- December 24, 2023
Exim before 4.97.1 allows SMTP smuggling in certain PIPELINING/CHUNKING configurations. Remote attackers can use a published exploitation technique to inject e-mail messages with a spoofed MAIL FROM address, allowing bypass of an SPF protection mechanism. This occurs because Exim supports <LF>.<CR><LF> but some other popular e-mail servers do not.
Insufficient Verification of Data Authenticity
A vulnerability was found in Exim and classified as problematic
CVE-2022-3620
9.8 - Critical
- October 20, 2022
A vulnerability was found in Exim and classified as problematic. This issue affects the function dmarc_dns_lookup of the file dmarc.c of the component DMARC Handler. The manipulation leads to use after free. The attack may be initiated remotely. The name of the patch is 12fb3842f81bcbd4a4519d5728f2d7e0e3ca1445. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-211919.
Buffer Overflow
A vulnerability was found in Exim and classified as problematic
CVE-2022-3559
7.5 - High
- October 17, 2022
A vulnerability was found in Exim and classified as problematic. This issue affects some unknown processing of the component Regex Handler. The manipulation leads to use after free. The name of the patch is 4e9ed49f8f12eb331b29bd5b6dc3693c520fddc2. It is recommended to apply a patch to fix this issue. The identifier VDB-211073 was assigned to this vulnerability.
Buffer Overflow
Exim before 4.95 has a heap-based buffer overflow for the alias list in host_name_lookup in host.c when sender_host_name is set.
CVE-2022-37452
9.8 - Critical
- August 07, 2022
Exim before 4.95 has a heap-based buffer overflow for the alias list in host_name_lookup in host.c when sender_host_name is set.
Memory Corruption
Exim before 4.96 has an invalid free in pam_converse in auths/call_pam.c
CVE-2022-37451
7.5 - High
- August 06, 2022
Exim before 4.96 has an invalid free in pam_converse in auths/call_pam.c because store_free is not used after store_malloc.
Release of Invalid Pointer or Reference
The STARTTLS feature in Exim through 4.94.2
CVE-2021-38371
7.5 - High
- August 10, 2021
The STARTTLS feature in Exim through 4.94.2 allows response injection (buffering) during MTA SMTP sending.
Injection
Exim 4 before 4.94.2
CVE-2020-28017
9.8 - Critical
- May 06, 2021
Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow in receive_add_recipient via an e-mail message with fifty million recipients. NOTE: remote exploitation may be difficult because of resource consumption.
Integer Overflow or Wraparound
Exim 4 before 4.94.2 allows Use After Free in smtp_reset in certain situations
CVE-2020-28018
9.8 - Critical
- May 06, 2021
Exim 4 before 4.94.2 allows Use After Free in smtp_reset in certain situations that may be common for builds with OpenSSL.
Dangling pointer
Exim 4 before 4.94.2
CVE-2020-28016
7.8 - High
- May 06, 2021
Exim 4 before 4.94.2 allows an off-by-two Out-of-bounds Write because "-F ''" is mishandled by parse_fix_phrase.
Memory Corruption
Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters
CVE-2020-28015
7.8 - High
- May 06, 2021
Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. Local users can alter the behavior of root processes because a recipient address can have a newline character.
Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges
CVE-2020-28014
6.1 - Medium
- May 06, 2021
Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. The -oP option is available to the exim user, and allows a denial of service because root-owned files can be overwritten.
Improper Privilege Management
Exim 4 before 4.94.2 allows Heap-based Buffer Overflow because it mishandles "-F '
CVE-2020-28013
7.8 - High
- May 06, 2021
Exim 4 before 4.94.2 allows Heap-based Buffer Overflow because it mishandles "-F '.('" on the command line, and thus may allow privilege escalation from any user to root. This occurs because of the interpretation of negative sizes in strncpy.
Memory Corruption
Exim 4 before 4.94.2 allows Exposure of File Descriptor to Unintended Control Sphere because rda_interpret uses a privileged pipe
CVE-2020-28012
7.8 - High
- May 06, 2021
Exim 4 before 4.94.2 allows Exposure of File Descriptor to Unintended Control Sphere because rda_interpret uses a privileged pipe that lacks a close-on-exec flag.
Exim 4 before 4.94.2 allows Heap-based Buffer Overflow in queue_run via two sender options: -R and -S
CVE-2020-28011
7.8 - High
- May 06, 2021
Exim 4 before 4.94.2 allows Heap-based Buffer Overflow in queue_run via two sender options: -R and -S. This may cause privilege escalation from exim to root.
Memory Corruption
Exim 4 before 4.94.2 allows Out-of-bounds Write because the main function, while setuid root, copies the current working directory pathname into a buffer
CVE-2020-28010
7.8 - High
- May 06, 2021
Exim 4 before 4.94.2 allows Out-of-bounds Write because the main function, while setuid root, copies the current working directory pathname into a buffer that is too small (on some common platforms).
Memory Corruption
Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow because get_stdinput allows unbounded reads
CVE-2020-28009
7.8 - High
- May 06, 2021
Exim 4 before 4.94.2 allows Integer Overflow to Buffer Overflow because get_stdinput allows unbounded reads that are accompanied by unbounded increases in a certain size variable. NOTE: exploitation may be impractical because of the execution time needed to overflow (multiple days).
Integer Overflow or Wraparound
Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges
CVE-2020-28008
7.8 - High
- May 06, 2021
Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim operates as root in the spool directory (owned by a non-root user), an attacker can write to a /var/spool/exim4/input spool header file, in which a crafted recipient address can indirectly lead to command execution.
Improper Privilege Management
Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges
CVE-2020-28007
7.8 - High
- May 06, 2021
Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim operates as root in the log directory (owned by a non-root user), a symlink or hard link attack allows overwriting critical root-owned files anywhere on the filesystem.
insecure temporary file
Exim 4 before 4.94.2 has Execution with Unnecessary Privileges
CVE-2021-27216
6.3 - Medium
- May 06, 2021
Exim 4 before 4.94.2 has Execution with Unnecessary Privileges. By leveraging a delete_pid_file race condition, a local user can delete arbitrary files as root. This involves the -oP and -oPX options.
Improper Privilege Management
Exim 4 before 4.94.2 has Improper Initialization that can lead to recursion-based stack consumption or other consequences
CVE-2020-28019
7.5 - High
- May 06, 2021
Exim 4 before 4.94.2 has Improper Initialization that can lead to recursion-based stack consumption or other consequences. This occurs because use of certain getc functions is mishandled when a client uses BDAT instead of DATA.
Improper Initialization
Exim 4 before 4.92 allows Integer Overflow to Buffer Overflow, in
CVE-2020-28020
9.8 - Critical
- May 06, 2021
Exim 4 before 4.92 allows Integer Overflow to Buffer Overflow, in which an unauthenticated remote attacker can execute arbitrary code by leveraging the mishandling of continuation lines during header-length restriction.
Integer Overflow or Wraparound
Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters
CVE-2020-28021
8.8 - High
- May 06, 2021
Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters. An authenticated remote SMTP client can insert newline characters into a spool file (which indirectly leads to remote code execution as root) via AUTH= in a MAIL FROM command.
Exim 4 before 4.94.2 has Improper Restriction of Write Operations within the Bounds of a Memory Buffer
CVE-2020-28022
9.8 - Critical
- May 06, 2021
Exim 4 before 4.94.2 has Improper Restriction of Write Operations within the Bounds of a Memory Buffer. This occurs when processing name=value pairs within MAIL FROM and RCPT TO commands.
Buffer Overflow
Exim 4 before 4.94.2 allows Out-of-bounds Read
CVE-2020-28023
7.5 - High
- May 06, 2021
Exim 4 before 4.94.2 allows Out-of-bounds Read. smtp_setup_msg may disclose sensitive information from process memory to an unauthenticated SMTP client.
Out-of-bounds Read
Exim 4 before 4.94.2 allows Buffer Underwrite
CVE-2020-28024
9.8 - Critical
- May 06, 2021
Exim 4 before 4.94.2 allows Buffer Underwrite that may result in unauthenticated remote attackers executing arbitrary commands, because smtp_ungetc was only intended to push back characters, but can actually push back non-character error codes such as EOF.
Buffer Overflow
Exim 4 before 4.94.2
CVE-2020-28025
7.5 - High
- May 06, 2021
Exim 4 before 4.94.2 allows Out-of-bounds Read because pdkim_finish_bodyhash does not validate the relationship between sig->bodyhash.len and b->bh.len; thus, a crafted DKIM-Signature header might lead to a leak of sensitive information from process memory.
Out-of-bounds Read
Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters, relevant in non-default configurations
CVE-2020-28026
9.8 - Critical
- May 06, 2021
Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters, relevant in non-default configurations that enable Delivery Status Notification (DSN). Certain uses of ORCPT= can place a newline into a spool header file, and indirectly allow unauthenticated remote attackers to execute arbitrary commands as root.
Exim through 4.93 has an out-of-bounds read in the SPA authenticator
CVE-2020-12783
7.5 - High
- May 11, 2020
Exim through 4.93 has an out-of-bounds read in the SPA authenticator that could result in SPA/NTLM authentication bypass in auths/spa.c and auths/auth-spa.c.
Out-of-bounds Read
Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846
CVE-2019-16928
9.8 - Critical
- September 27, 2019
Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.
Memory Corruption
Exim before 4.92.2 allows remote attackers to execute arbitrary code as root
CVE-2019-15846
9.8 - Critical
- September 06, 2019
Exim before 4.92.2 allows remote attackers to execute arbitrary code as root via a trailing backslash.
Exim 4.85 through 4.92 (fixed in 4.92.1) allows remote code execution as root in some unusual configurations
CVE-2019-13917
9.8 - Critical
- July 25, 2019
Exim 4.85 through 4.92 (fixed in 4.92.1) allows remote code execution as root in some unusual configurations that use the ${sort } expansion for items that can be controlled by an attacker (e.g., $local_part or $domain).
Data Processing Errors
A flaw was found in Exim versions 4.87 to 4.91 (inclusive)
CVE-2019-10149
9.8 - Critical
- June 05, 2019
A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution.
Shell injection
An issue was discovered in the base64d function in the SMTP listener in Exim before 4.90.1
CVE-2018-6789
9.8 - Critical
- February 08, 2018
An issue was discovered in the base64d function in the SMTP listener in Exim before 4.90.1. By sending a handcrafted message, a buffer overflow may happen. This can be used to execute code remotely.
Buffer Overflow
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89
CVE-2017-16943
9.8 - Critical
- November 25, 2017
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via vectors involving BDAT commands.
Dangling pointer
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89
CVE-2017-16944
7.5 - High
- November 25, 2017
The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89 allows remote attackers to cause a denial of service (infinite loop and stack exhaustion) via vectors involving BDAT commands and an improper check for a '.' character signifying the end of the content, related to the bdat_getc function.
Infinite Loop
The dmarc_process function in dmarc.c in Exim before 4.82.1, when EXPERIMENTAL_DMARC is enabled
CVE-2014-2957
- September 04, 2014
The dmarc_process function in dmarc.c in Exim before 4.82.1, when EXPERIMENTAL_DMARC is enabled, allows remote attackers to execute arbitrary code via the From header in an email, which is passed to the expand_string function.
Improper Input Validation
Heap-based buffer overflow in the string_vformat function in string.c in Exim before 4.70 allows remote attackers to execute arbitrary code via an SMTP session
CVE-2010-4344
- December 14, 2010
Heap-based buffer overflow in the string_vformat function in string.c in Exim before 4.70 allows remote attackers to execute arbitrary code via an SMTP session that includes two MAIL commands in conjunction with a large message containing crafted headers, leading to improper rejection logging.
Buffer Overflow
Exim 4.72 and earlier allows local users to gain privileges by leveraging the ability of the exim user account to specify an alternate configuration file with a directive
CVE-2010-4345
- December 14, 2010
Exim 4.72 and earlier allows local users to gain privileges by leveraging the ability of the exim user account to specify an alternate configuration file with a directive that contains arbitrary commands, as demonstrated by the spool_directory directive.
Permissions, Privileges, and Access Controls
