CVE-2021-38371 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 84%

Affected Products (NVD)

Vendor	Product	Version
exim	exim	𝑥 ≤ 4.94.2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

exim4

bookworm	4.96-15+deb12u5 fixed
bookworm (security)	4.96-15+deb12u5 fixed
bullseye	vulnerable
bullseye (security)	4.94.2-7+deb11u4 fixed
buster	no-dsa
sid	4.98-2 fixed
stretch	postponed
trixie	4.98-2 fixed

Ubuntu Releases

Ubuntu Product

Codename

exim4

bionic	Fixed 4.90.1-1ubuntu1.10+esm4 released
focal	Fixed 4.93-13ubuntu1.11 released
hirsute	ignored
impish	ignored
jammy	not-affected
kinetic	not-affected
lunar	not-affected
mantic	not-affected
noble	not-affected
trusty	Fixed 4.82-3ubuntu2.4+esm8 released
xenial	Fixed 4.86.2-2ubuntu2.6+esm7 released

Common Weakness Enumeration

CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

References

https://nostarttls.secvuln.info

https://www.exim.org

https://www.exim.org/static/doc/security/CVE-2021-38371.txt

https://lists.debian.org/debian-lts-announce/2024/10/msg00029.html

https://nostarttls.secvuln.info

https://www.exim.org

https://www.exim.org/static/doc/security/CVE-2021-38371.txt