CVE-2023-42118Integer Underflow (Wrap or Wraparound) in Libspf2

CWE-191Integer Underflow (Wrap or Wraparound)CWE-190Integer Overflow or Wraparound10 documents7 sources
Severity
8.8HIGHNVD
EPSS
3.0%
top 13.38%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Libspf2Exim Libspf2Debian Libspf2
Timeline
PublishedMay 3

Description

Exim libspf2 Integer Underflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Exim libspf2. Authentication is not required to exploit this vulnerability. The specific flaw exists within the parsing of SPF macros. When parsing SPF macros, the process does not properly validate user-supplied data, which can result in an integer underflow before writing to memory. An attacker can leverage this vulnera

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

CVEListV5exim/libspf2exim 4.96-RC0-14-24b8ed847-XX
Alpinelibspf2/libspf2< 1.2.11-r3+5

🔴Vulnerability Details

3
GHSA
GHSA-2vq7-8vvf-w66v: Exim libspf2 Integer Underflow Remote Code Execution Vulnerability2024-05-03
OSV
CVE-2023-42118: Exim libspf2 Integer Underflow Remote Code Execution Vulnerability2024-05-03
OSV
CVE-2023-42118: Exim libspf2 Integer Underflow Remote Code Execution Vulnerability2024-05-03

📋Vendor Advisories

2
Red Hat
libspf2: Integer Underflow Remote Code Execution Vulnerability2023-09-27
Debian
CVE-2023-42118: libspf2 - Exim libspf2 Integer Underflow Remote Code Execution Vulnerability. This vulnera...2023

🕵️Threat Intelligence

4
Wiz
Exim 0day Vulnerabilities: Everything You Need to Know | Wiz Blog2023-10-02
Wiz
Exim 0day Vulnerabilities: Everything You Need to Know | Wiz Blog2023-10-02
Bleepingcomputer
Exim patches three of six zero-day bugs disclosed last week2023-10-02
Bleepingcomputer
Millions of Exim mail servers exposed to zero-day RCE attacks2023-09-29
CVE-2023-42118 — Integer Underflow (Wrap or Wraparound) | cvebase