CVE-2019-10149: Exim Remote Code Execution Vulnerability Alert
Recently, Linux’s mail transfer agent Exim was exposed to a remote code execution vulnerability (CVE-2019-10149) caused by incorrect validation of the recipient’s address in the deliver_message() function in /src/deliver.c.
Eximis a mail transfer agent (MTA) used on Unix-like operating systems. Exim is free software distributed under the terms of the GNU General Public License, and it aims to be a general and flexible mailer with extensive facilities for checking incoming e-mail.
Exim has been ported to most Unix-like systems, as well as to Microsoft Windows using the Cygwin emulation layer. Exim 4 is currently the default MTA on Debian GNU/Linux systems.
A large number of Exim installations exist, especially within Internet service providers and universities in the UK. Exim is also widely used with the GNU Mailman mailing list manager, and cPanel.
| CVSS3 Base Score | 9 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H |
Affected version
- Exim Version >= 4.87
- Exim Version <= 4.91
Unaffected version
- Exim Version 4.92
Solution
Exim officially fixed the vulnerability in version 4.92. Users recommend upgrading to unaffected version as soon as possible.
