CVE-2010-4345

Publication date 14 December 2010

Last updated 25 August 2025

Ubuntu priority

Cvss 3 Severity Score

Description

Exim 4.72 and earlier allows local users to gain privileges by leveraging the ability of the exim user account to specify an alternate configuration file with a directive that contains arbitrary commands, as demonstrated by the spool_directory directive.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
exim4	10.10 maverick	Fixed 4.72-1ubuntu1.1
	10.04 LTS lucid	Fixed 4.71-3ubuntu1.1
	9.10 karmic	Fixed 4.69-11ubuntu4.2
	8.04 LTS hardy	Fixed 4.69-2ubuntu0.3
	6.06 LTS dapper	Fixed 4.60-3ubuntu3.3

Notes

mdeslaur

patches are behaviour-altering. See list of changes here: http://git.exim.org/exim.git/blob/HEAD:/doc/doc-txt/IncompatibleChanges See debian dsa-2154-2 for regression fix http://lists.debian.org/debian-security-announce/2011/msg00020.html http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611572

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
exim4	Upstream: c1d9445 Upstream: e2f5dc1 Upstream: cd25e41 Upstream: 261dc43 Upstream: fa32850 Upstream: 1e83d68 Upstream: 79d4bc3 Upstream: d7177eb Upstream: a7cbbf5 Upstream: 2cfd322 Upstream: 66581d1 Upstream: 74935b9 Upstream: 90b6341 Upstream: 7f7f054 Upstream: cc5fdbc Upstream: fea24b2 Upstream: 3319167 Upstream: b7487bc

Severity score breakdown

Parameter	Value
Base score	7.8 · High
Attack vector	Local
Attack complexity	Low
Privileges required	Low
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

USN-1060-1
Exim vulnerabilities
10 February 2011