{"id":"CVE-2019-10149","details":"A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to remote command execution.","modified":"2026-05-13T04:03:11.110283631Z","published":"2019-06-05T14:29:11.293Z","related":["openSUSE-SU-2019:1524-1","openSUSE-SU-2021:0753-1","openSUSE-SU-2024:10746-1"],"database_specific":{"unresolved_ranges":[{"extracted_events":[{"last_affected":"18.04"}],"source":"CPE_FIELD","cpe":"cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*"},{"extracted_events":[{"last_affected":"18.10"}],"source":"CPE_FIELD","cpe":"cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"9.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"}]},"references":[{"type":"WEB","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-10149"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00020.html"},{"type":"ADVISORY","url":"http://seclists.org/fulldisclosure/2019/Jun/16"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2019/06/05/2"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2019/07/25/6"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2019/07/25/7"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2019/07/26/4"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2021/05/04/7"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/108679"},{"type":"ADVISORY","url":"https://seclists.org/bugtraq/2019/Jun/5"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201906-01"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4010-1/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2019/dsa-4456"},{"type":"ADVISORY","url":"https://www.exim.org/static/doc/security/CVE-2019-10149.txt"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10149"},{"type":"FIX","url":"http://www.openwall.com/lists/oss-security/2019/06/05/3"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/153218/Exim-4.9.1-Remote-Command-Execution.html"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/153312/Exim-4.91-Local-Privilege-Escalation.html"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/154198/Exim-4.91-Local-Privilege-Escalation.html"},{"type":"EVIDENCE","url":"http://www.openwall.com/lists/oss-security/2019/06/05/4"},{"type":"EVIDENCE","url":"http://www.openwall.com/lists/oss-security/2019/06/06/1"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/exim/exim","events":[{"introduced":"74d8288d7a8fa83989968647149ae47ba10194f8"},{"last_affected":"c1b32ab6ef9300e2ecab6736139e3e50874cd3a6"}],"database_specific":{"extracted_events":[{"introduced":"4.87"},{"last_affected":"4.91"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:exim:exim:*:*:*:*:*:*:*:*"}}],"versions":["exim-4_91","exim-4_91_RC4","exim-4_91_RC3","exim-4_91_RC2","exim-4_91_RC1","exim-4_90_RC4","exim-4_90","exim-4_90_RC3","exim-4_90_RC2","exim-4_90_RC1","exim-4.90devstart","exim-4_89_RC3","exim-4_89_RC1","exim-4_88","exim-4_87","exim-4_88_RC6","exim-4_88_RC5","exim-4_88_RC4","exim-4_88_RC3","exim-4_88_RC2","exim-4_88_RC1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-10149.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}