Arbitrary Code Execution in sa-exim 4.2.1 via .cf File or Rule

Arbitrary Code Execution in sa-exim 4.2.1 via .cf File or Rule

CVE-2019-19920 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

sa-exim 4.2.1 allows attackers to execute arbitrary code if they can write a .cf file or a rule. This occurs because Greylisting.pm relies on eval (rather than direct parsing and/or use of the taint feature). This issue is similar to CVE-2018-11805.

Learn more about our Web Application Penetration Testing UK.