CVE-2014-2972
published 2014-09-04CVE-2014-2972: expand.c in Exim before 4.83 expands mathematical comparisons twice, which allows local users to gain privileges and execute arbitrary commands via a crafted…
PriorityP430medium4.6CVSS 2.0
AVLACLAuNCPIPAP
EPSS
0.49%
38.3th percentile
expand.c in Exim before 4.83 expands mathematical comparisons twice, which allows local users to gain privileges and execute arbitrary commands via a crafted lookup value.
Affected
53 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | exim4 | < exim4 4.82.1-2 (bookworm) | exim4 4.82.1-2 (bookworm) |
| exim | exim | <= 4.82.1 | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
| exim | exim | — | — |
CVSS provenance
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
osv4.6MEDIUM
vendor_debian4.6LOW
vendor_redhat4.6MEDIUM
vendor_ubuntu4.6MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9qqj-vrhc-8q74: expand
ghsa_unreviewed·2022-05-17
CVE-2014-2972 [MEDIUM] GHSA-9qqj-vrhc-8q74: expand
expand.c in Exim before 4.83 expands mathematical comparisons twice, which allows local users to gain privileges and execute arbitrary commands via a crafted lookup value.
OSV
exim4 vulnerabilities
osv·2016-03-15·CVSS 4.6
[MEDIUM] exim4 vulnerabilities
exim4 vulnerabilities
It was discovered that Exim incorrectly filtered environment variables when
used with the perl_startup configuration option. If the perl_startup option
was enabled, a local attacker could use this issue to escalate their
privileges to the root user. This issue has been fixed by having Exim clean
the complete execution environment by default on startup, including any
subprocesses such as transports that call other programs. This change in
behaviour may break existing installations and can be adjusted by using two
new configuration options, keep_environment and add_environment.
(CVE-2016-1531)
Patrick William discovered that Exim incorrectly expanded mathematical
comparisons twice. A local attacker could possibly use this issue to
perform arbitrary file operations as
OSV
CVE-2014-2972: expand
osv·2014-09-04·CVSS 4.6
CVE-2014-2972 [MEDIUM] CVE-2014-2972: expand
expand.c in Exim before 4.83 expands mathematical comparisons twice, which allows local users to gain privileges and execute arbitrary commands via a crafted lookup value.
Ubuntu
Exim vulnerabilities
vendor_ubuntu·2016-03-15·CVSS 4.6
CVE-2014-2972 [MEDIUM] Exim vulnerabilities
Title: Exim vulnerabilities
Summary: Several security issues were fixed in Exim.
It was discovered that Exim incorrectly filtered environment variables when
used with the perl_startup configuration option. If the perl_startup option
was enabled, a local attacker could use this issue to escalate their
privileges to the root user. This issue has been fixed by having Exim clean
the complete execution environment by default on startup, including any
subprocesses such as transports that call other programs. This change in
behaviour may break existing installations and can be adjusted by using two
new configuration options, keep_environment and add_environment.
(CVE-2016-1531)
Patrick William discovered that Exim incorrectly expanded mathematical
comparisons twice. A local attacker could poss
Red Hat
exim: local code execution via string expansion
vendor_redhat·2014-07-23·CVSS 4.6
CVE-2014-2972 [MEDIUM] CWE-138 exim: local code execution via string expansion
exim: local code execution via string expansion
expand.c in Exim before 4.83 expands mathematical comparisons twice, which allows local users to gain privileges and execute arbitrary commands via a crafted lookup value.
Statement: Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Package: exim (Red Hat Enterprise Linux 5) - Will not fix
Debian
CVE-2014-2972: exim4 - expand.c in Exim before 4.83 expands mathematical comparisons twice, which allow...
vendor_debian·2014·CVSS 4.6
CVE-2014-2972 [MEDIUM] CVE-2014-2972: exim4 - expand.c in Exim before 4.83 expands mathematical comparisons twice, which allow...
expand.c in Exim before 4.83 expands mathematical comparisons twice, which allows local users to gain privileges and execute arbitrary commands via a crafted lookup value.
Scope: local
bookworm: resolved (fixed in 4.82.1-2)
bullseye: resolved (fixed in 4.82.1-2)
forky: resolved (fixed in 4.82.1-2)
sid: resolved (fixed in 4.82.1-2)
trixie: resolved (fixed in 4.82.1-2)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2014-2972 exim: local code execution via string expansion [fedora-all]
bugzilla·2014-07-23·CVSS 4.6
CVE-2014-2972 [MEDIUM] CVE-2014-2972 exim: local code execution via string expansion [fedora-all]
CVE-2014-2972 exim: local code execution via string expansion [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fed
Bugzilla
CVE-2014-2972 exim: local code execution via string expansion [epel-6]
bugzilla·2014-07-23·CVSS 4.6
CVE-2014-2972 [MEDIUM] CVE-2014-2972 exim: local code execution via string expansion [epel-6]
CVE-2014-2972 exim: local code execution via string expansion [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
epel-6 tracking bug for exim: see blocks bug list for full
Bugzilla
CVE-2014-2972 exim: local code execution via string expansion
bugzilla·2014-07-23·CVSS 4.6
CVE-2014-2972 [MEDIUM] CVE-2014-2972 exim: local code execution via string expansion
CVE-2014-2972 exim: local code execution via string expansion
As reported to the exim user's mailing list [1], Exim suffers from a local vulnerability where a string expansion is evaluated twice. If a local attacker were able to provide unsanitized data to a data source used by Exim for looking up a value, in certain situations, the data would be eval()'d twice. This is not remotely exploitable and requires a user account on the Exim server, and an Exim configuration that does lookups against files to which the user has edit access. The end result is that, if the conditions are true, arbitrary code could be executed as the exim user. As described in the posting:
"""
The root cause of this issue is the arguments to mathematical comparison
operations are expanded twice (, >=, =). The inten
http://git.exim.org/exim.git/commitdiff/7685ce68148a083d7759e78d01aa5198fc099c44http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136251.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2014-August/136264.htmlhttp://www.ubuntu.com/usn/USN-2933-1https://bugzilla.redhat.com/show_bug.cgi?id=1122552https://lists.exim.org/lurker/message/20140722.145949.42c043f5.en.htmlhttps://lists.exim.org/lurker/message/20140722.152452.d6c019e8.en.htmlhttps://security.gentoo.org/glsa/201607-12http://git.exim.org/exim.git/commitdiff/7685ce68148a083d7759e78d01aa5198fc099c44http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136251.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2014-August/136264.htmlhttp://www.ubuntu.com/usn/USN-2933-1https://bugzilla.redhat.com/show_bug.cgi?id=1122552https://lists.exim.org/lurker/message/20140722.145949.42c043f5.en.htmlhttps://lists.exim.org/lurker/message/20140722.152452.d6c019e8.en.htmlhttps://security.gentoo.org/glsa/201607-12
2014-09-04
Published