Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
641
VMScore

CVE-2018-11805

Published: 12/12/2019 Updated: 07/11/2023
CVSS v2 Base Score: 7.2 | Impact Score: 10 | Exploitability Score: 3.9
CVSS v3 Base Score: 6.7 | Impact Score: 5.9 | Exploitability Score: 0.8
VMScore: 641
Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C
Subscribe to Spamassassin

Vulnerability Summary

In Apache SpamAssassin prior to 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf files from trusted places.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache spamassassin

debian debian linux 8.0

debian debian linux 9.0

debian debian linux 10.0

Vendor Advisories

Red Hat: Moderate: spamassassin security update
Synopsis Moderate: spamassassin security update Type/Severity Security Advisory: Moderate Topic An update for spamassassin is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System (CVSS) base ...
Debian CVElist Bug Report Logs: spamassassin: CVE-2018-11805: arbitrary code execution via malicious sa-update servers
Debian Bug report logs - #946652 spamassassin: CVE-2018-11805: arbitrary code execution via malicious sa-update servers Package: spamassassin; Maintainer for spamassassin is Noah Meyerhans <noahm@debianorg>; Source for spamassassin is src:spamassassin (PTS, buildd, popcon) Reported by: Noah Meyerhans <noahm@debianorg&gt ...
Debian CVElist Bug Report Logs: src:spamassassin: arbitrary code execution when processing rules files
Debian Bug report logs - #950258 src:spamassassin: arbitrary code execution when processing rules files Package: src:spamassassin; Maintainer for src:spamassassin is Noah Meyerhans <noahm@debianorg>; Reported by: Noah Meyerhans <noahm@debianorg> Date: Thu, 30 Jan 2020 16:48:01 UTC Severity: grave Tags: security Fo ...
Ubuntu Security Notice: spamassassin vulnerabilities
Several security issues were fixed in SpamAssassin ...
Ubuntu Security Notice: spamassassin vulnerabilities
Several security issues were fixed in SpamAssassin ...
Debian Security Advisories: DSA-4584-1 spamassassin -- security update
Two vulnerabilities were discovered in spamassassin, a Perl-based spam filter using text analysis CVE-2018-11805 Malicious rule or configuration files, possibly downloaded from an updates server, could execute arbitrary commands under multiple scenarios CVE-2019-12420 Specially crafted mulitpart messages can cause spamassassin to ...
Amazon Linux AMI: ALAS-2020-1341
In Apache SpamAssassin before 343, a message can be crafted in a way to use excessive resources Upgrading to SA 343 as soon as possible is the recommended fix but details will not be shared publicly (CVE-2019-12420) In Apache SpamAssassin before 343, nefarious CF files can be configured to run system commands without any output or errors W ...
Arch Linux Issues:
A malicious CF file is able to execute system commands without producing output/error streams ...

Mailing Lists

Full Disclosure: [CVE-2020-1931] Apache SpamAssassin Nefarious rule configuration (.cf) files can be configured to run system commands with warnings.
<!--X-Body-Begin--> <!--X-User-Header--> oss-sec mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> [CVE-2020-1931] Apache SpamAssassin Nefarious rule configuration (cf) files can be configured to run system commands with warn ...
Full Disclosure: [CVE-2020-1930] Apache SpamAssassin Nefarious rule configuration (.cf) files can be configured to run system commands
<!--X-Body-Begin--> <!--X-User-Header--> oss-sec mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> [CVE-2020-1930] Apache SpamAssassin Nefarious rule configuration (cf) files can be configured to run system commands <!--X-Su ...

References

CWE-78https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.3.txthttps://seclists.org/oss-sec/2019/q4/154https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7647http://www.openwall.com/lists/oss-security/2019/12/12/1https://www.debian.org/security/2019/dsa-4584https://seclists.org/bugtraq/2019/Dec/27https://lists.debian.org/debian-lts-announce/2019/12/msg00019.htmlhttps://usn.ubuntu.com/4237-1/https://usn.ubuntu.com/4237-2/http://www.openwall.com/lists/oss-security/2020/01/30/2http://www.openwall.com/lists/oss-security/2020/01/30/3http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00003.htmlhttps://lists.apache.org/thread.html/6f89f82a573ea616dce53ec67e52d963618a9f9ac71da5c1efdbd166%40%3Cusers.spamassassin.apache.org%3Ehttps://lists.apache.org/thread.html/d015dc5b4f24fd6777a85d068502a9c5d58d69d877ed5b0eb9a22cd5%40%3Cdev.spamassassin.apache.org%3Ehttps://lists.apache.org/thread.html/2946b38caec47f7f6a79e8e03d2aa723794186e59a7dc6b5e76dfc18%40%3Cannounce.spamassassin.apache.org%3Ehttps://lists.apache.org/thread.html/bc58907171c6585e5875a3ce86066d4956c218911cb74e3156de4433%40%3Cannounce.apache.org%3Ehttps://lists.apache.org/thread.html/c1f59b7e13b7f2c12f847f7d0dec2636df3cdbcaa6d8309007395ff4%40%3Cusers.spamassassin.apache.org%3Ehttps://lists.apache.org/thread.html/8534b60bae95ac3a8a4adb840f4ab26135f1c973ce197ff44439cbae%40%3Cusers.spamassassin.apache.org%3Ehttps://lists.apache.org/thread.html/0b5c73809d0690527341d940029f743807b70550050fd23ee869c5e5%40%3Cusers.spamassassin.apache.org%3Ehttps://lists.apache.org/thread.html/rc4df9835fb2d7b5bb1202fca99a1de21a40acef055661d3a9e8ae781%40%3Cdev.spamassassin.apache.org%3Ehttps://lists.apache.org/thread.html/r217177f7de36deab36dab88db4b6448961122571176dd4b2c133d08e%40%3Cannounce.spamassassin.apache.org%3Ehttps://lists.apache.org/thread.html/rc4df9835fb2d7b5bb1202fca99a1de21a40acef055661d3a9e8ae781%40%3Cusers.spamassassin.apache.org%3Ehttps://lists.apache.org/thread.html/r6729f3d3be754a06c39bb4f11c925a3631e8ea2b4c865546d755cb0a%40%3Cusers.spamassassin.apache.org%3Ehttps://lists.apache.org/thread.html/r71f789fcd6339144e3d4db8f4128def12c341e638bd0107a0b82a05b%40%3Cannounce.spamassassin.apache.org%3Ehttps://lists.apache.org/thread.html/rc4df9835fb2d7b5bb1202fca99a1de21a40acef055661d3a9e8ae781%40%3Cannounce.apache.org%3Ehttps://lists.apache.org/thread.html/r6729f3d3be754a06c39bb4f11c925a3631e8ea2b4c865546d755cb0a%40%3Cdev.spamassassin.apache.org%3Ehttps://lists.apache.org/thread.html/r2578c486552637bfedbe624940cc60d6463bd90044c887bdebb75e74%40%3Cusers.spamassassin.apache.org%3Ehttps://lists.apache.org/thread.html/r6729f3d3be754a06c39bb4f11c925a3631e8ea2b4c865546d755cb0a%40%3Cannounce.apache.org%3Ehttps://lists.apache.org/thread.html/r3d32ebf97b1245b8237763444e911c4595d2ad5e34a1641840d8146f%40%3Cusers.spamassassin.apache.org%3Ehttps://access.redhat.com/errata/RHSA-2020:4625https://nvd.nist.govhttps://usn.ubuntu.com/4237-2/
VMScore
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-3581reflected XSSCVE-2024-26925CVE-2024-27956LFICVE-2024-3607CVE-2024-3107CVE-2024-3295SQL
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook