CVE-2024-39929 — Improper Encoding or Escaping of Output in Exim

CWE-116 — Improper Encoding or Escaping of Output CWE-693 — Protection Mechanism Failure8 documents8 sources

Severity

5.4MEDIUMNVD

EPSS

60.3%

top 1.71%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Exim

Timeline

PublishedJul 4

Latest updateJul 31

Description

Exim through 4.97.1 misparses a multiline RFC 2231 header filename, and thus remote attackers can bypass a $mime_filename extension-blocking protection mechanism, and potentially deliver executable attachments to the mailboxes of end users.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages1 packages

▶NVDexim/exim4.97.1

Patches

Patch: git.exim.org ↗Patch: git.exim.org ↗Patch: git.exim.org ↗

🔴Vulnerability Details

OSV

CVE-2024-39929: Exim through 4↗2024-07-04

▶

GHSA

GHSA-7m4v-cwm7-4f2m: Exim through 4↗2024-07-04

▶

CVEList

CVE-2024-39929: Exim through 4↗2024-07-04

▶

📋Vendor Advisories

Ubuntu

Exim vulnerability↗2024-07-31

▶

Red Hat

exim: exim: Incorrect parsing of multiline rfc2231 header filename↗2024-07-04

▶

Debian

CVE-2024-39929: exim4 - Exim through 4.97.1 misparses a multiline RFC 2231 header filename, and thus rem...↗2024

▶

🕵️Threat Intelligence

Wiz

CVE-2025-67896 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶