CVE-2019-19920

moderate-risk
Published 2019-12-22

sa-exim 4.2.1 allows attackers to execute arbitrary code if they can write a .cf file or a rule. This occurs because Greylisting.pm relies on eval (rather than direct parsing and/or use of the taint feature). This issue is similar to CVE-2018-11805.

Do I need to act?

~
3.5% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10 High
NETWORK / LOW complexity

Affected Products (5)

Sa-Exim

Affected Vendors

Debian Canonical Sa-Exim Project

References (10)

Mailing List https://bugs.debian.org/946829#24
Mailing List https://lists.debian.org/debian-lts-announce/2020/01/msg00006.html
Mailing List https://marc.info/?l=spamassassin-users&m=157668107325768&w=2
Mailing List https://marc.info/?l=spamassassin-users&m=157668305026635&w=2
Third Party Advisory https://usn.ubuntu.com/4520-1/
Mailing List https://bugs.debian.org/946829#24
Mailing List https://lists.debian.org/debian-lts-announce/2020/01/msg00006.html
Mailing List https://marc.info/?l=spamassassin-users&m=157668107325768&w=2
Mailing List https://marc.info/?l=spamassassin-users&m=157668305026635&w=2
Third Party Advisory https://usn.ubuntu.com/4520-1/
49
/ 100
moderate-risk
Severity 30/34 · Critical
Exploitability 7/34 · Low
Exposure 12/34 · Low