Exim versions 4.87 through 4.91 suffer from a local privilege escalation vulnerability.
f66d7f3a31ac18712c80085004dbe2a60269462f0ed94217c0afa6f03a4f8107
Debian Linux Security Advisory 4488-1 - Jeremy Harris discovered that Exim, a mail transport agent, does not properly handle the ${sort } expansion. This flaw can be exploited by a remote attacker to execute programs with root privileges in non-default (and unusual) configurations where ${sort } expansion is used for items that can be controlled by an attacker.
5bd894cb502f0a1c6aee91997321470689edd511f79126588a1120bddff4d630
Ubuntu Security Notice 4075-1 - Jeremy Harris discovered that Exim incorrectly handled sort expansions. In environments where sort expansions are used, a remote attacker could possibly use this issue to execute arbitrary code as root.
af9a5c43a6ba001d6f9f739c96c14a1101ba928e6aaf880efbaa5758c3abbddc
Qualys discovered a remote command execution vulnerability in Exim versions 4.87 to 4.91.
ccf81b809451dabd0ae35b330095955b9998319116314052fc75a06a7dd5e3e8
Gentoo Linux Security Advisory 201906-1 - A vulnerability in Exim could allow a remote attacker to execute arbitrary commands. Versions less than 4.92 are affected.
a3da7ce79662c13585cde53abd610ea317462f97afc3099957d04af79577eaa6
Ubuntu Security Notice 4010-1 - It was discovered that Exim incorrectly handled certain decoding operations. A remote attacker could possibly use this issue to execute arbitrary commands.
e254ca1fcd34d1dbc6122ae985d24828cd5607f4d4eb3a341f82838dfa7cd5b3
Debian Linux Security Advisory 4456-1 - The Qualys Research Labs reported a flaw in Exim, a mail transport agent. Improper validation of the recipient address in the deliver_message() function may result in the execution of arbitrary commands.
0cd1d0a2bc006718e3f130c1b1c0b5a56897616f1aabae70b5dba7ad89aedea3
Exim version 4.90 remote code execution exploit.
19a743e6423b65998debf24be560524e381d039e1cadcd20d9257dd956d9b4a1
Exim versions prior to 4.90.1 suffer from a base64d remote code execution vulnerability.
7ca9d4d2ad8a8f94f402c2a0986a1bcb33596bff697621e2afcde815f2f4b0d8
Gentoo Linux Security Advisory 201803-1 - Multiple vulnerabilities have been found in Exim, the worst of which allows remote attackers to execute arbitrary code. Versions less than 4.90.1 are affected.
fae08f3a967abdc43a1c026ad3ce23d707d739eacf930009ae729881c47b4e5c
Ubuntu Security Notice 3565-1 - Meh Chang discovered that Exim incorrectly handled memory in certain decoding operations. A remote attacker could use this issue to cause Exim to crash, resulting in a denial of service, or possibly execute arbitrary code.
af6290b7d81b5f37c8718f3ea211ac9f5fe0e3ba2706920599cde51286c5524b
Debian Linux Security Advisory 4110-1 - Meh Chang discovered a buffer overflow flaw in a utility function used in the SMTP listener of Exim, a mail transport agent. A remote attacker can take advantage of this flaw to cause a denial of service, or potentially the execution of arbitrary code via a specially crafted message.
177e2fda59e9e6ba3a12f1c8d564ad42a8ca0e3bef74df674862b69bd02f1f54
Ubuntu Security Notice 3499-1 - It was discovered that Exim incorrectly handled certain BDAT data headers. A remote attacker could possibly use this issue to cause Exim to crash, resulting in a denial of service.
84f6e7318add2363801a7c087f557e0bfddc5858647315c8653fcfcb594b870e
Exim version 4.89 suffers from a denial of service vulnerability while parsing the BDAT data header.
06400f3e55ff24c12a728e79c0653462e865d8c5b296a559adff089a0a57f067
Ubuntu Security Notice 3493-1 - It was discovered that Exim incorrectly handled memory in the ESMTP CHUNKING extension. A remote attacker could use this issue to cause Exim to crash, resulting in a denial of service, or possibly execute arbitrary code. The default compiler options for affected releases should reduce the vulnerability to a denial of service.
b682ce23a365c9f0c1a12f999ea8890678e6432dec8406a563bfa963c428342c
Gentoo Linux Security Advisory 201709-19 - A vulnerability in Exim may allow local users to gain root privileges. Versions less than 4.89-r1 are affected.
e4e8753acd88314f65a96fcfa803a6925a200130dc25cc90535c49d136149011
Ubuntu Security Notice 3322-1 - It was discovered that Exim did not properly deallocate memory when processing certain command line arguments. A local attacker could use this in conjunction with another vulnerability to possibly execute arbitrary code and gain administrative privileges.
91dac33c04bf4f77abf899743cfd413b34537fcac33053883f9d554f431ee119
This Metasploit module exploits a command injection vulnerability in WordPress version 4.6 with Exim as an MTA via a spoofed Host header to PHPMailer, a mail-sending library that is bundled with WordPress. A valid WordPress username is required to exploit the vulnerability. Additionally, due to the altered Host header, exploitation is limited to the default virtual host, assuming the header isn't mangled in transit. If the target is running Apache 2.2.32 or 2.4.24 and later, the server may have HttpProtocolOptions set to Strict, preventing a Host header containing parens from passing through, making exploitation unlikely.
928eb6125df4b025be7b68270b411eb5dfb58e8b71a32b25b6ed380ce5e0f241
Ubuntu Security Notice 3164-1 - Bjoern Jacke discovered that Exim incorrectly handled DKIM keys. In certain configurations, private DKIM signing keys could be leaked to the log files.
c2586094b5f6fd1850c04f8c9df8ab3a7d0dd8e5752195fd1f23018fceb24c5d
Exim4 in some variants is started as root but switches to uid/gid Debian-exim/Debian-exim. But as Exim might need to store received messages in user mailboxes, it has to have the ability to regain privileges. This is also true when Exim is started as "sendmail". During internal operation, sendmail (Exim) will manipulate message spool files in directory structures owned by user "Debian-exim" without caring about symlink attacks. Thus execution of code as user "Debian-exim" can be used to gain root privileges by invoking "sendmail" as user "Debian-exim".
bd74c62b27f39b7f46709bc09cd8804cada21ce8799966cc4bc67706ff142d5b
This Metasploit module exploits a Perl injection vulnerability in Exim versions prior to 4.86.2 given the presence of the "perl_startup" configuration parameter.
9244d1a56ca1a0b4187fc7d9232dd5485fbbf380c0bdb9f35ea79df0019c335a
Ubuntu Security Notice 2933-1 - It was discovered that Exim incorrectly filtered environment variables when used with the perl_startup configuration option. If the perl_startup option was enabled, a local attacker could use this issue to escalate their privileges to the root user. This issue has been fixed by having Exim clean the complete execution environment by default on startup, including any subprocesses such as transports that call other programs. This change in behaviour may break existing installations and can be adjusted by using two new configuration options, keep_environment and add_environment. Various other issues were also addressed.
4d1c0664786aa724ab53583f3fef9a7abd6f25ae6008251ecde90b82fec34351
Exim versions prior to 4.86.2 suffer from a local root privilege escalation vulnerability. When Exim installation has been compiled with Perl support and contains a perl_startup configuration variable it can be exploited by malicious local attackers to gain root privileges.
c8b37f6ba0c1a3bd66f5d17781dd1c98a33edc213484ca6db8095fef81937ebc
Exim versions 4.84-3 and below suffer from a local privilege escalation vulnerability.
338e278d54bff0fcb3160902a0f4e6e04e509da47b831229d06ee56563a1ce5c
This Metasploit module remotely exploits CVE-2015-0235 (a.k.a. GHOST, a heap-based buffer overflow in the GNU C Library's gethostbyname functions) on x86 and x86_64 GNU/Linux systems that run the Exim mail server.
a904662b081b766808bd7e6e1ad410a102718e996535c406d1a81766eee34d73
Exim ESTMP denial of service exploit that leverages the GHOST glibc gethostbyname buffer overflow.
5ecc35645890c0c48e753cb63b2c03579f6cc942a311b5aad37e578368a54b58