cbcvebase.
CVE-2019-15846
published 2019-09-27

CVE-2019-15846: Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat…

PriorityP194critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVRansomwareInitial access
Exploited in the wild
EPSS
35.74%
98.3th percentile
Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.

Affected

11 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
debiandebian_linux
debianexim4< exim4 4.92.1-3 (bookworm)exim4 4.92.1-3 (bookworm)
debianexim4< exim4 4.92.2-3 (bookworm)exim4 4.92.2-3 (bookworm)
eximexim< 4.92.24.92.2
eximexim4.92 – 4.92.2
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2019-15846 is exploitable via a trailing backslash in SMTP input, triggering an out-of-bounds access in string_interpret_escape() in the Exim SMTP delivery process
  • The vulnerable function is string_interpret_escape(); monitor Exim SMTP sessions for malformed escape sequences (trailing backslash) in input strings
  • The vulnerability affects Exim versions prior to 4.92.2; identify exposed Exim instances via banner grabbing or Shodan-style scanning and flag any version below 4.92.2
  • ·Red Hat Enterprise Linux 5 ships a vulnerable version of Exim but the flaw is not exposed to untrusted inputs in that configuration, so remote code execution is not achievable on RHEL 5
  • ·Exim is not shipped with Red Hat Enterprise Linux 6, 7, or 8, so those platforms are not affected

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vulncheck9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.