Cyber Resilience

CVE-2023-42114

Medium

Published: 03 May 2024

Published
03 May 2024
Modified
04 November 2025
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.1389 94.5th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-42114 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Exim Exim. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 5.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2023-42114 is an out-of-bounds read vulnerability in Exim that permits information disclosure. The flaw resides in the handling of NTLM challenge requests, where insufficient validation of user-supplied data allows a read past the end of an allocated structure. It affects Exim installations and carries a CVSS score of 5.3 under CWE-125.

Remote attackers can exploit the issue without authentication or user interaction by sending crafted NTLM challenge requests, resulting in disclosure of sensitive information in the context of the Exim service account.

Advisories from the Zero Day Initiative, originally tracked as ZDI-CAN-17433, and the Debian LTS announcement detail the vulnerability and direct administrators to apply available updates for affected Exim versions. The EPSS score has remained flat at 0.1389 with no material increase since disclosure.

EU & UK References

Vulnerability details

Exim NTLM Challenge Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Exim. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of NTLM challenge…

more

requests. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated data structure. An attacker can leverage this vulnerability to disclose information in the context of the service account. . Was ZDI-CAN-17433.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

exim
exim
≤ 4.96.1

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References