Current File : //proc/thread-self/root/kunden/usr/share/doc/exim/doc/cve-2019-15846/mitre.mbx

From cve-request@mitre.org Mon Sep  2 18:12:21 2019
Return-Path: <cve-request@mitre.org>
Authentication-Results: mx.net.schlittermann.de; iprev=pass
 (smtpvbsrv1.mitre.org) smtp.remote-ip=198.49.146.234; spf=pass
 smtp.mailfrom=mitre.org; dkim=pass header.d=mitre.org header.s=selector1
 header.a=rsa-sha256; dmarc=pass header.from=mitre.org
From: cve-request@mitre.org
To: hs@schlittermann.de
Cc: cve-request@mitre.org
Subject: Re: [scr749683] one CVE
Date: Mon,  2 Sep 2019 12:12:12 -0400 (EDT)
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=utf-8
Status: RO

> [Suggested description]
> The SMTP Delivery process in Exim 4.92.1 has a Buffer Overflow.
> In the default runtime configuration, this is exploitable with crafted
> Server Name Indication (SNI) data during a TLS negotiation. In other
> configurations, it is exploitable with a crafted client TLS certificate.
> 
> ------------------------------------------
> 
> [Additional Information]
> It's the first CVE I request, so if there is anything missing, please tell me
> 
> ------------------------------------------
> 
> [Vulnerability Type]
> Buffer Overflow
> 
> ------------------------------------------
> 
> [Vendor of Product]
> Exim Development Team
> 
> ------------------------------------------
> 
> [Affected Product Code Base]
> Exim - 4.92.1
> 
> ------------------------------------------
> 
> [Affected Component]
> SMTP Delivery process
> 
> ------------------------------------------
> 
> [Attack Type]
> Remote
> 
> ------------------------------------------
> 
> [Impact Code execution]
> true
> 
> ------------------------------------------
> 
> [Attack Vectors]
> To exploit the vulnerability the attacker needs a crafted client TLS
> certificate or a crafted SNI. While the first attack vector needs a
> non-default runtime configuration, the latter one should work with the
> default runtime config.
> 
> ------------------------------------------
> 
> [Discoverer]
> zerons zerons <sironhide0null@gmail.com>
> 
> ------------------------------------------
> 
> [Reference]
> http://exim.org/static/doc/security/CVE-2019-15846.txt

Use CVE-2019-15846.


-- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]