9.3
CVSSv2

CVE-2020-1931

Published: 30/01/2020 Updated: 02/02/2020
CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6
Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Summary

A command execution issue was found in Apache SpamAssassin before 3.4.3. Carefully crafted nefarious Configuration (.cf) files can be configured to run system commands similar to CVE-2018-11805. This issue is less stealthy and attempts to exploit the issue will throw warnings. Thanks to Damian Lukowski at credativ for reporting the issue ethically. With this bug unpatched, exploits can be injected in a number of scenarios though doing so remotely is difficult. In addition to upgrading to SA 3.4.4, we again recommend that users should only use update channels or 3rd party .cf files from trusted places.

Vulnerability Trend

Affected Products

Vendor Product Versions
ApacheSpamassassin-, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.6, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.3.0, 3.3.1, 3.3.2, 3.4.0, 3.4.1, 3.4.2

Vendor Advisories

Several security issues were fixed in SpamAssassin ...
Several security issues were fixed in SpamAssassin ...
Two vulnerabilities were discovered in spamassassin, a Perl-based spam filter using text analysis Malicious rule or configuration files, possibly downloaded from an updates server, could execute arbitrary commands under multiple scenarios For the oldstable distribution (stretch), these problems have been fixed in version 342-1~deb9u3 For the s ...
Debian Bug report logs - #950258 src:spamassassin: arbitrary code execution when processing rules files Package: src:spamassassin; Maintainer for src:spamassassin is Noah Meyerhans <noahm@debianorg>; Reported by: Noah Meyerhans <noahm@debianorg> Date: Thu, 30 Jan 2020 16:48:01 UTC Severity: grave Tags: security Fo ...

Mailing Lists

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4615-1 security () debian org wwwdebianorg/security/ Salvatore Bonaccorso February 01, 2020 wwwdebianorg/security/faq ...
Apache SpamAssassin 344 was recently released [1], and fixes an issue of security note where nefarious rule configuration (cf) files can be configured to run system commands similar to CVE-2018-11805  This issue is less stealthy and attempts to exploit the issue will throw warnings  Thanks to Damian Lukowski at credativ for reporting the iss ...