cbcvebase.
CVE-2024-39929
published 2024-07-04

CVE-2024-39929: Exim through 4.97.1 misparses a multiline RFC 2231 header filename, and thus remote attackers can bypass a $mime_filename extension-blocking protection…

PriorityP342medium5.4CVSS 3.1
AVNACLPRNUIRSUCLILAN
EPSS
41.23%
98.5th percentile
Exim through 4.97.1 misparses a multiline RFC 2231 header filename, and thus remote attackers can bypass a $mime_filename extension-blocking protection mechanism, and potentially deliver executable attachments to the mailboxes of end users.

Affected

2 ranges
VendorProductVersion rangeFixed in
debianexim4< exim4 4.96-15+deb12u5 (bookworm)exim4 4.96-15+deb12u5 (bookworm)
eximexim<= 4.97.1

Detection & IOCsextracted from sources · hover to see the quote

  • Exim misparses multiline RFC 2231 header filenames, allowing bypass of the $mime_filename extension-blocking protection mechanism. Detect crafted emails with multiline MIME header filenames (RFC 2231 encoded) that split a blocked extension across continuation lines.
  • Monitor for executable attachments delivered to end-user mailboxes via Exim versions up to and including 4.97.1, particularly where $mime_filename extension blocking is configured but may be bypassed by multiline MIME header filename encoding.
  • ·The bypass only affects deployments where $mime_filename extension-blocking is configured in Exim ACLs. Installations not using this protection mechanism are not affected by the bypass logic, though they may still receive malicious attachments.
  • ·This flaw requires end-user interaction to execute the delivered attachment; the vulnerability itself does not result in automatic code execution on the mail server.
  • ·Fixed in Exim 4.98 (changelog reference 3099). Debian bookworm fix is in 4.96-15+deb12u5; bullseye fix is in 4.94.2-7+deb11u3. All Exim versions through 4.97.1 are vulnerable.

CVSS provenance

nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
osv5.4MEDIUM
vendor_debian5.4MEDIUM
vendor_redhat5.4MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.