CVE-2016-9963 — Sensitive Information Exposure in Exim

CWE-320 CWE-200 — Sensitive Information Exposure10 documents8 sources

Severity

5.9MEDIUMNVD

EPSS

1.7%

top 17.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Exim4 Exim Canonical Ubuntu Linux +1 more

Timeline

PublishedFeb 1

Latest updateMay 17

Description

Exim before 4.87.1 might allow remote attackers to obtain the private DKIM signing key via vectors related to log files and bounce messages.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages2 packages

▶debiandebian/exim4< exim4 4.88~RC6-2 (bookworm)

▶NVDexim/exim4.87

Also affects: Debian Linux 8.0, Ubuntu Linux 12.04, 14.04, 16.04, 16.10

🔴Vulnerability Details

GHSA

GHSA-qf64-f8r5-29m4: Exim before 4↗2022-05-17

▶

OSV

CVE-2016-9963: Exim before 4↗2017-02-01

▶

📋Vendor Advisories

Ubuntu

Exim vulnerability↗2017-01-05

▶

Red Hat

exim: Possible information disclosure to remote atacker↗2016-12-16

▶

Debian

CVE-2016-9963: exim4 - Exim before 4.87.1 might allow remote attackers to obtain the private DKIM signi...↗2016

▶

📄Research Papers

arXiv

On the Effectiveness of Type-based Control Flow Integrity↗2020-02-14

▶

💬Community

Bugzilla

CVE-2016-9963 exim: Possible information disclosure to remote atacker↗2016-12-16

▶

Bugzilla

CVE-2016-9963 exim: Possible information disclosure to remote atacker [fedora-all]↗2016-12-16

▶

Bugzilla

CVE-2016-9963 exim: Possible information disclosure to remote atacker [epel-all]↗2016-12-16

▶