CVE-2019-16928
critical-risk
Published 2019-09-27
Exim 4.92 through 4.92.2 allows remote code execution, a different vulnerability than CVE-2019-15846. There is a heap-based buffer overflow in string_vformat in string.c involving a long EHLO command.
Do I need to act?
!
89.8% chance of exploitation in next 30 days
EPSS score — higher than 10% of all CVEs
!
CISA KEV: actively exploited in the wild
On the Known Exploited Vulnerabilities catalog — federal agencies must patch
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (6)
Affected Vendors
References (29)
Issue Tracking
https://bugs.exim.org/show_bug.cgi?id=2449
Mailing List
https://seclists.org/bugtraq/2019/Sep/60
Third Party Advisory
https://security.gentoo.org/glsa/202003-47
Third Party Advisory
https://usn.ubuntu.com/4141-1/
Third Party Advisory
https://www.debian.org/security/2019/dsa-4536
Issue Tracking
https://bugs.exim.org/show_bug.cgi?id=2449
and 9 more references
72
/ 100
critical-risk
Severity
32/34 · Critical
Exploitability
27/34 · High
Exposure
13/34 · Low