CVE-2019-19920

EPSS 5.36%
Published 22.12.2019 18:15:10
Last modified 21.11.2024 04:35:39
Source cve@mitre.org
CVE-Watchlists
Login
Open
Login

sa-exim 4.2.1 allows attackers to execute arbitrary code if they can write a .cf file or a rule. This occurs because Greylisting.pm relies on eval (rather than direct parsing and/or use of the taint feature). This issue is similar to CVE-2018-11805.

Affected products Warnungen 0 Metrics 3 CWE 1 References 8

Data is provided by the National Vulnerability Database (NVD)

Sa-exim Project ≫ Sa-exim Version4.2.1

Canonical ≫ Ubuntu Linux Version16.04 SwEditionesm

Debian ≫ Debian Linux Version8.0

Debian ≫ Debian Linux Version9.0

Debian ≫ Debian Linux Version10.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	5.36%	0.896

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	9	8	10	AV:N/AC:L/Au:S/C:C/I:C/A:C

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

https://bugs.debian.org/946829#24

Patch

Third Party Advisory

Mailing List

https://lists.debian.org/debian-lts-announce/2020/01/msg00006.html

Third Party Advisory

Mailing List

https://marc.info/?l=spamassassin-users&m=157668107325768&w=2

Third Party Advisory

Mailing List

https://marc.info/?l=spamassassin-users&m=157668305026635&w=2

Third Party Advisory