CVE-2010-4345

Publication date 14 December 2010

Last updated 21 August 2024


Ubuntu priority

Cvss 3 Severity Score

7.8 · High

Score breakdown

Exim 4.72 and earlier allows local users to gain privileges by leveraging the ability of the exim user account to specify an alternate configuration file with a directive that contains arbitrary commands, as demonstrated by the spool_directory directive.

Read the notes from the security team

Status

Package Ubuntu Release Status
exim4 10.10 maverick
Fixed 4.72-1ubuntu1.1
10.04 LTS lucid
Fixed 4.71-3ubuntu1.1
9.10 karmic
Fixed 4.69-11ubuntu4.2
8.04 LTS hardy
Fixed 4.69-2ubuntu0.3
6.06 LTS dapper
Fixed 4.60-3ubuntu3.3

Notes


mdeslaur

patches are behaviour-altering. See list of changes here: http://git.exim.org/exim.git/blob/HEAD:/doc/doc-txt/IncompatibleChanges See debian dsa-2154-2 for regression fix http://lists.debian.org/debian-security-announce/2011/msg00020.html http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611572

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
exim4

Severity score breakdown

Parameter Value
Base score 7.8 · High
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H