CVE-2014-2957 — Improper Input Validation in Exim

CWE-20 — Improper Input Validation6 documents6 sources

Severity

6.8MEDIUMNVD

EPSS

1.8%

top 17.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Exim4 Exim

Timeline

PublishedSep 4

Latest updateMay 13

Description

The dmarc_process function in dmarc.c in Exim before 4.82.1, when EXPERIMENTAL_DMARC is enabled, allows remote attackers to execute arbitrary code via the From header in an email, which is passed to the expand_string function.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages2 packages

▶debiandebian/exim4< exim4 4.82.1-1 (bookworm)

▶NVDexim/exim4.82+50

Patches

Patch: lists.exim.org ↗Patch: lists.exim.org ↗

🔴Vulnerability Details

GHSA

GHSA-r2xw-4p4f-wp3m: The dmarc_process function in dmarc↗2022-05-13

▶

OSV

CVE-2014-2957: The dmarc_process function in dmarc↗2014-09-04

▶

📋Vendor Advisories

Red Hat

exim: remote arbitrary code execution via DMARC code parsing↗2014-05-28

▶

Debian

CVE-2014-2957: exim4 - The dmarc_process function in dmarc.c in Exim before 4.82.1, when EXPERIMENTAL_D...↗2014

▶

💬Community

Bugzilla

CVE-2014-2957 exim: remote arbitrary code execution via DMARC code parsing↗2014-05-27

▶