CVE-2021-38371 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
mitre	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 84%

Vendor	Product	Version
exim	exim	𝑥 ≤ 4.94.2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

exim4

bullseye	vulnerable
buster	no-dsa
stretch	postponed
bullseye (security)	4.94.2-7+deb11u4 fixed
bookworm	4.96-15+deb12u5 fixed
bookworm (security)	4.96-15+deb12u5 fixed
sid	4.98-2 fixed
trixie	4.98-2 fixed

Ubuntu Releases

Ubuntu Product

Codename

exim4

noble	not-affected
mantic	not-affected
lunar	not-affected
kinetic	not-affected
jammy	not-affected
impish	ignored
hirsute	ignored
focal	Fixed 4.93-13ubuntu1.11 released
bionic	Fixed 4.90.1-1ubuntu1.10+esm4 released
xenial	Fixed 4.86.2-2ubuntu2.6+esm7 released
trusty	Fixed 4.82-3ubuntu2.4+esm8 released

Common Weakness Enumeration

CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

References

https://nostarttls.secvuln.info

https://www.exim.org

https://www.exim.org/static/doc/security/CVE-2021-38371.txt

https://lists.debian.org/debian-lts-announce/2024/10/msg00029.html

https://nostarttls.secvuln.info

https://www.exim.org

https://www.exim.org/static/doc/security/CVE-2021-38371.txt