Exim 4 before 4.94.2 allows Execution with Unnecessary Privileges. Because Exim operates as root in the spool directory (owned by a non-root user), an attacker can write to a /var/spool/exim4/input spool header file, in which a crafted recipient address can indirectly lead to command execution.
{ "vanir_signatures": [ { "signature_type": "Function", "digest": { "length": 86.0, "function_hash": "85807556721849417698167290800033609961" }, "signature_version": "v1", "source": "https://github.com/exim/exim/commit/919111edac911ba9c15422eafd7c5bf14d416d26", "id": "CVE-2020-28008-a5b97121", "target": { "file": "src/src/smtp_in.c", "function": "bdat_ungetc" }, "deprecated": false }, { "signature_type": "Line", "digest": { "line_hashes": [ "2970847905863908930961351479348962244", "259127508678304675853565838131490768076", "16856440449629165604374376294870505588", "21031574626938302228709321949938569854", "66694532801356984293692391694813765468", "228435147706632689035739186300622821874", "137018139142916213668559470023354199721", "262955889687131153967951266340364206508", "122233694988885115887188843215612136724", "55546132595750780137850156557040648213", "178043897109541241882122479475000937559", "311496951671523793228361465075141960070" ], "threshold": 0.9 }, "signature_version": "v1", "source": "https://github.com/exim/exim/commit/919111edac911ba9c15422eafd7c5bf14d416d26", "id": "CVE-2020-28008-f33c15e3", "target": { "file": "src/src/smtp_in.c" }, "deprecated": false } ] }