Main Vulnerability Database Vulnerabilities #VU52871

Use-after-free in Exim - CVE-2020-28018

Published: May 4, 2021 / Updated: October 14, 2021

Vulnerability identifier: #VU52871

CSH Severity: Critical

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Red

CVE-ID: CVE-2020-28018

CWE-ID: CWE-416

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vendor: Exim

Affected software:
Exim

Detailed vulnerability description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in tls-openssl.c. A remote non-authenticated attacker can send specially crafted data to the mail server, trigger a use-after-free error and execute arbitrary code on the system with root privileges.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

How to mitigate CVE-2020-28018

Install updates from vendor's website.

Sources

http://seclists.org/oss-sec/2021/q2/91

Use-after-free in Exim - CVE-2020-28018

Detailed vulnerability description

How to mitigate CVE-2020-28018

Sources

Please verify you're human