9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.931 High
EPSS
Percentile
99.1%
Heap-based buffer overflow in the string_vformat function in string.c in
Exim before 4.70 allows remote attackers to execute arbitrary code via an
SMTP session that includes two MAIL commands in conjunction with a large
message containing crafted headers, leading to improper rejection logging.
Author | Note |
---|---|
mdeslaur | fixed in 4.70 |
jdstrand | while the bug was fixed in 2008, it was not known to be a security bug. Public exploit made available on 2010-12-10 (UTC) |
www.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html
www.exim.org/lurker/message/20101210.071922.233697ac.en.html#exim-dev
launchpad.net/bugs/cve/CVE-2010-4344
nvd.nist.gov/vuln/detail/CVE-2010-4344
security-tracker.debian.org/tracker/CVE-2010-4344
ubuntu.com/security/notices/USN-1032-1
www.cve.org/CVERecord?id=CVE-2010-4344