Alpine: multiple exim packages: security update to 4.96.2-r0

critical Tenable Cloud Security Plugin ID 404251

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Exim Improper Neutralization of Special Elements Remote Code Execution Vulnerability. This vulnerability
allows remote attackers to execute arbitrary code on affected installations of Exim. Authentication is not
required to exploit this vulnerability. The specific flaw exists within the smtp service, which listens on
TCP port 25 by default. The issue results from the lack of proper validation of user-supplied data, which
can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code
in the context of the current process. Was ZDI-CAN-17554. (CVE-2023-42117)

- Exim dnsdb Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows network-
adjacent attackers to disclose sensitive information on affected installations of Exim. Authentication is
not required to exploit this vulnerability. The specific flaw exists within the smtp service, which
listens on TCP port 25 by default. The issue results from the lack of proper validation of user-supplied
data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in
conjunction with other vulnerabilities to execute arbitrary code in the context of the service account. .
Was ZDI-CAN-17643. (CVE-2023-42119)

See Also

https://security.alpinelinux.org/vuln/CVE-2023-42117

https://security.alpinelinux.org/vuln/CVE-2023-42119

Plugin Details

Severity: Critical

ID: 404251

Version: Revision 1.25

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.86

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2023-42117

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 10/2/2023

Reference Information

CVE: CVE-2023-42117, CVE-2023-42119

IAVA: 2023-A-0521-S