6.9

CVE-2011-0017

The open_log function in log.c in Exim 4.72 and earlier does not check the return value from (1) setuid or (2) setgid system calls, which allows local users to append log data to arbitrary files via a symlink attack.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
EximExim Version <= 4.72
EximExim Version2.10
EximExim Version2.11
EximExim Version2.12
EximExim Version3.00
EximExim Version3.01
EximExim Version3.02
EximExim Version3.03
EximExim Version3.10
EximExim Version3.11
EximExim Version3.12
EximExim Version3.13
EximExim Version3.14
EximExim Version3.15
EximExim Version3.16
EximExim Version3.20
EximExim Version3.21
EximExim Version3.22
EximExim Version3.30
EximExim Version3.31
EximExim Version3.32
EximExim Version3.33
EximExim Version3.34
EximExim Version3.35
EximExim Version3.36
EximExim Version4.00
EximExim Version4.01
EximExim Version4.02
EximExim Version4.03
EximExim Version4.04
EximExim Version4.05
EximExim Version4.10
EximExim Version4.11
EximExim Version4.12
EximExim Version4.14
EximExim Version4.20
EximExim Version4.21
EximExim Version4.22
EximExim Version4.23
EximExim Version4.24
EximExim Version4.30
EximExim Version4.31
EximExim Version4.32
EximExim Version4.33
EximExim Version4.34
EximExim Version4.40
EximExim Version4.41
EximExim Version4.42
EximExim Version4.43
EximExim Version4.44
EximExim Version4.50
EximExim Version4.51
EximExim Version4.52
EximExim Version4.53
EximExim Version4.54
EximExim Version4.60
EximExim Version4.61
EximExim Version4.62
EximExim Version4.63
EximExim Version4.64
EximExim Version4.65
EximExim Version4.66
EximExim Version4.67
EximExim Version4.68
EximExim Version4.69
EximExim Version4.70
EximExim Version4.71
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.38% 0.295
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.9 3.4 10
AV:L/AC:M/Au:N/C:C/I:C/A:C
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-59 Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

http://secunia.com/advisories/43243
http://www.ubuntu.com/usn/USN-1060-1
http://www.vupen.com/english/advisories/2011/0364
http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00004.html
http://www.vupen.com/english/advisories/2011/0464
http://secunia.com/advisories/43128
Vendor Advisory
http://www.debian.org/security/2011/dsa-2154
http://www.vupen.com/english/advisories/2011/0245
Vendor Advisory
ftp://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.74
http://lists.exim.org/lurker/message/20110126.034702.4d69c278.en.html
Patch
http://osvdb.org/70696
http://secunia.com/advisories/43101
Vendor Advisory
http://www.securityfocus.com/bid/46065
http://www.vupen.com/english/advisories/2011/0224
Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/65028