CVE-2010-4345

Publication date 14 December 2010

Last updated 25 August 2025

Ubuntu priority

Medium

Why this priority?

Cvss 3 Severity Score

7.8 · High

Score breakdown

Description

Exim 4.72 and earlier allows local users to gain privileges by leveraging the ability of the exim user account to specify an alternate configuration file with a directive that contains arbitrary commands, as demonstrated by the spool_directory directive.

Read the notes from the security team

Status

Package Ubuntu Release Status
exim4 10.10 maverick
Fixed 4.72-1ubuntu1.1
10.04 LTS lucid
Fixed 4.71-3ubuntu1.1
9.10 karmic
Fixed 4.69-11ubuntu4.2
8.04 LTS hardy
Fixed 4.69-2ubuntu0.3
6.06 LTS dapper
Fixed 4.60-3ubuntu3.3

Notes

mdeslaur

patches are behaviour-altering. See list of changes here: http://git.exim.org/exim.git/blob/HEAD:/doc/doc-txt/IncompatibleChanges See debian dsa-2154-2 for regression fix http://lists.debian.org/debian-security-announce/2011/msg00020.html http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611572

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
exim4

Severity score breakdown

CVSS version: CVSS v3.0

Base score 7.8 · High

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

    • USN-1060-1
    • Exim vulnerabilities
    • 10 February 2011

Other references

Access our resources on patching vulnerabilities