CVE-2019-19920
HIGH WAF: High
CVSS 8.8
Published: 2019-12-22
CWE-78
sa-exim 4.2.1 allows attackers to execute arbitrary code if they can write a .cf file or a rule. This occurs because Greylisting.pm relies on eval (rather than direct parsing and/or use of the taint feature). This issue is similar to CVE-2018-11805.
WAF Coverage Analysis
OS Command Injection
High WAF Coverage
OWASP: A03:2021 Injection
932xxx - Remote Code Execution
Affected Software
| Vendor | Product | Version |
|---|---|---|
| sa-exim_project | sa-exim | 4.2.1 |
| canonical | ubuntu_linux | 16.04 |
| debian | debian_linux | 8.0 |
| debian | debian_linux | 9.0 |
| debian | debian_linux | 10.0 |
References
- bugs.debian.org (Mailing List, Patch, Third Party Advisory)
- lists.debian.org (Mailing List, Third Party Advisory)
- marc.info (Mailing List, Third Party Advisory)
- marc.info (Mailing List, Third Party Advisory)
- usn.ubuntu.com (Third Party Advisory)