CVE-2019-19920
HIGHsa-exim 4.2.1 - OS Command Injection via Greylisting.pm Eval
Title source: llmDescription
sa-exim 4.2.1 allows attackers to execute arbitrary code if they can write a .cf file or a rule. This occurs because Greylisting.pm relies on eval (rather than direct parsing and/or use of the taint feature). This issue is similar to CVE-2018-11805.
References (5)
Core 5
Core References
Mailing List, Patch, Third Party Advisory x_refsource_misc
https://bugs.debian.org/946829#24
Mailing List, Third Party Advisory x_refsource_misc
https://marc.info/?l=spamassassin-users&m=157668107325768&w=2
Mailing List, Third Party Advisory x_refsource_misc
https://marc.info/?l=spamassassin-users&m=157668305026635&w=2
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/01/msg00006.html
Third Party Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/4520-1/
Scores
CVSS v3
8.8
EPSS
0.0306
EPSS Percentile
86.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-78
Status
published
Products (5)
canonical/ubuntu_linux
16.04
debian/debian_linux
8.0
debian/debian_linux
9.0
debian/debian_linux
10.0
sa-exim_project/sa-exim
4.2.1
Published
Dec 22, 2019
Tracked Since
Feb 18, 2026