CVE-2017-1000369
Summary
| CVE | CVE-2017-1000369 |
|---|---|
| State | PUBLISHED |
| Assigner | mitre |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2017-06-19 16:29:00 UTC |
| Updated | 2025-04-20 01:37:25 UTC |
| Description | Exim supports the use of multiple "-p" command line arguments which are malloc()'ed and never free()'ed, used in conjunction with other issues allows attackers to cause arbitrary code execution. This affects exim version 4.89 and earlier. Please note that at this time upstream has released a patch (commit 65e061b76867a9ea7aeeb535341b790b90ae6c21), but it is not known if a new point release is available that addresses this issue at this time. |
Risk And Classification
Primary CVSS: v3.1 4 MEDIUM from [email protected]
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Problem Types: CWE-404 | n/a
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 4 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
| 2.0 | [email protected] | Primary | 2.1 | AV:L/AC:L/Au:N/C:N/I:P/A:N |
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
LowAvailability
NoneCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVSS v2.0 Breakdown
Access Vector
LocalAccess Complexity
LowAuthentication
NoneConfidentiality
NoneIntegrity
PartialAvailability
NoneAV:L/AC:L/Au:N/C:N/I:P/A:N
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Debian | Debian Linux | 8.0 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Application | Exim | Exim | 4.88 | - | All | All |
| Application | Exim | Exim | 4.88 | rc1 | All | All |
| Application | Exim | Exim | 4.88 | rc2 | All | All |
| Application | Exim | Exim | 4.88 | rc3 | All | All |
| Application | Exim | Exim | 4.88 | rc4 | All | All |
| Application | Exim | Exim | 4.88 | rc5 | All | All |
| Application | Exim | Exim | 4.88 | rc6 | All | All |
| Application | Exim | Exim | 4.89 | - | All | All |
| Application | Exim | Exim | 4.89 | rc1 | All | All |
| Application | Exim | Exim | 4.89 | rc2 | All | All |
| Application | Exim | Exim | 4.89 | rc3 | All | All |
| Application | Exim | Exim | 4.89 | rc4 | All | All |
| Application | Exim | Exim | 4.89 | rc5 | All | All |
| Application | Exim | Exim | 4.89 | rc6 | All | All |
| Application | Exim | Exim | 4.89 | rc7 | All | All |
| Application | Exim | Exim | All | All | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Exim: Local privilege escalation (GLSA 201709-19) — Gentoo security | af854a3a-2127-422b-91ae-364da2661108 | security.gentoo.org | Third Party Advisory |
| Exim Memory Leak Lets Local Users Gain Elevated Privileges in Certain Cases - SecurityTracker | af854a3a-2127-422b-91ae-364da2661108 | www.securitytracker.com | Third Party Advisory, VDB Entry |
| Cleanup (prevent repeated use of -p/-oMr to avoid mem leak) · Exim/exim@65e061b · GitHub | af854a3a-2127-422b-91ae-364da2661108 | github.com | Mitigation, Third Party Advisory |
| CVE-2017-1000369 - Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | access.redhat.com | Vendor Advisory |
| www.qualys.com/2017/06/19/stack-clash/stack-clash.txt | af854a3a-2127-422b-91ae-364da2661108 | www.qualys.com | Third Party Advisory |
| Debian -- Security Information -- DSA-3888-1 exim4 | af854a3a-2127-422b-91ae-364da2661108 | www.debian.org | Third Party Advisory |
| Exim CVE-2017-1000369 Local Privilege Escalation Vulnerability | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | Third Party Advisory, VDB Entry |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.