CVE-2011-1407

The DKIM implementation in Exim 4.7x before 4.76 permits matching for DKIM identities to apply to lookup items, instead of only strings, which allows remote attackers to execute arbitrary code or access a filesystem via a crafted identity.

CVSS v2.0 7.5 HIGH

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://www.securityfocus.com/bid/47836
https://lists.exim.org/lurker/message/20110512.102909.8136175a.en.html	Patch
https://lists.exim.org/lurker/message/20110509.091632.daed0206.en.html	Patch
http://www.debian.org/security/2011/dsa-2236
http://www.ubuntu.com/usn/USN-1135-1

Advertisement

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:exim:exim:4.74:::::::*
	cpe:2.3:a:exim:exim:4.75:::::::*
	cpe:2.3:a:exim:exim:4.72:::::::*
	cpe:2.3:a:exim:exim:4.73:::::::*
	cpe:2.3:a:exim:exim:4.70:::::::*
	cpe:2.3:a:exim:exim:4.71:::::::*

Information

Published : 2011-05-16 11:55

Updated : 2011-09-06 20:15

NVD link : CVE-2011-1407

Mitre link : CVE-2011-1407

JSON object : View

CWE

CWE-20

Improper Input Validation

Advertisement

Products Affected

exim

exim

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://www.securityfocus.com/bid/47836", "name": "47836", "tags": [], "refsource": "BID"}, {"url": "https://lists.exim.org/lurker/message/20110512.102909.8136175a.en.html", "name": "[exim-announce] 20110512 Exim 4.76 Release: updated impact assessment", "tags": ["Patch"], "refsource": "MLIST"}, {"url": "https://lists.exim.org/lurker/message/20110509.091632.daed0206.en.html", "name": "[exim-announce] 20110509 Exim 4.76 Release", "tags": ["Patch"], "refsource": "MLIST"}, {"url": "http://www.debian.org/security/2011/dsa-2236", "name": "DSA-2236", "tags": [], "refsource": "DEBIAN"}, {"url": "http://www.ubuntu.com/usn/USN-1135-1", "name": "USN-1135-1", "tags": [], "refsource": "UBUNTU"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "The DKIM implementation in Exim 4.7x before 4.76 permits matching for DKIM identities to apply to lookup items, instead of only strings, which allows remote attackers to execute arbitrary code or access a filesystem via a crafted identity."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-20"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2011-1407", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "HIGH", "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2011-05-16T18:55Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:exim:exim:4.74:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:exim:exim:4.75:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:exim:exim:4.72:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:exim:exim:4.73:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:exim:exim:4.70:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:exim:exim:4.71:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2011-09-07T03:15Z"}