CVE-2019-19920 — OS Command Injection in Sa-exim

CWE-78 — OS Command Injection6 documents5 sources

Severity

8.8HIGHNVD

OSV6.7

EPSS

3.5%

top 12.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Sa-exim Debian Sa-exim Canonical Ubuntu Linux +2 more

Timeline

PublishedDec 22

Latest updateMay 24

Description

sa-exim 4.2.1 allows attackers to execute arbitrary code if they can write a .cf file or a rule. This occurs because Greylisting.pm relies on eval (rather than direct parsing and/or use of the taint feature). This issue is similar to CVE-2018-11805.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶debiandebian/sa-exim< sa-exim 4.2.1-19 (bookworm)

▶Debiansa-exim/sa-exim< 4.2.1-19+2

▶Ubuntusa-exim/sa-exim< 4.2.1-14+deb8u1build0.16.04.1

▶NVDsa-exim_project/sa-exim4.2.1

Also affects: Debian Linux 10.0, 8.0, 9.0, Ubuntu Linux 16.04

Patches

Patch: bugs.debian.org ↗Patch: bugs.debian.org ↗

🔴Vulnerability Details

GHSA

GHSA-28xw-m7jp-89ch: sa-exim 4↗2022-05-24

▶

OSV

sa-exim vulnerability↗2020-09-18

▶

OSV

CVE-2019-19920: sa-exim 4↗2019-12-22

▶

📋Vendor Advisories

Ubuntu

Exim SpamAssassin vulnerability↗2020-09-18

▶

Debian

CVE-2019-19920: sa-exim - sa-exim 4.2.1 allows attackers to execute arbitrary code if they can write a .cf...↗2019

▶