Описание
Exim 4.98 before 4.98.1, when SQLite hints and ETRN serialization are used, allows remote SQL injection.
Отчет
The following conditions have to be met for being vulnerable:
- Exim Version 4.98
- Build time option USE_SQLITE is set (it enables the use of SQLite
for the hints databases) -- check the output of
exim -bV, whether it contains
Hints DB:
Using sqlite3
- Runtime config enables ETRN (
acl_smtp_etrnreturns accept (defaults to deny)) - Runtime config enforces ETRN serialization (
smtp_etrn_serializeis set to true (defaults to true))
Дополнительная информация
Статус:
Important
Дефект:
CWE-89
https://bugzilla.redhat.com/show_bug.cgi?id=2346981exim: Exim: remote SQL injection
7.5 High
CVSS3
Связанные уязвимости
CVSS3: 7.5
ubuntu
10 месяцев назад
Exim 4.98 before 4.98.1, when SQLite hints and ETRN serialization are used, allows remote SQL injection.
CVSS3: 7.5
nvd
10 месяцев назад
Exim 4.98 before 4.98.1, when SQLite hints and ETRN serialization are used, allows remote SQL injection.
CVSS3: 7.5
debian
10 месяцев назад
Exim 4.98 before 4.98.1, when SQLite hints and ETRN serialization are ...
CVSS3: 7.5
github
10 месяцев назад
Exim 4.98 before 4.98.1, when SQLite hints and ETRN serialization are used, allows remote SQL injection.
CVSS3: 7.5
fstec
10 месяцев назад
Уязвимость функций SQLite hints и ETRN serialization почтового сервера Exim, позволяющая нарушителю вызвать отказ в обслуживании
7.5 High
CVSS3