Published: 25/03/2021 Updated: 07/11/2023

CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 890

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

In Apache SpamAssassin prior to 3.4.5, malicious rule configuration (.cf) files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA version 3.4.5, users should only use update channels or 3rd party .cf files from trusted places.

Vulnerable Product	Search on Vulmon	Subscribe to Product
apache spamassassin
debian debian linux 9.0
debian debian linux 10.0
fedoraproject fedora 32
fedoraproject fedora 33
fedoraproject fedora 34

Debian Bug report logs - #985962 spamassassin: CVE-2020-1946: arbitrary code execution via malicious rule configuration files Package: src:spamassassin; Maintainer for src:spamassassin is Noah Meyerhans <noahm@debianorg>; Reported by: Noah Meyerhans <noahm@debianorg> Date: Fri, 26 Mar 2021 22:06:01 UTC Severity: gr ...

Damian Lukowski discovered a flaw in spamassassin, a Perl-based spam filter using text analysis Malicious rule configuration files, possibly downloaded from an updates server, could execute arbitrary commands under multiple scenarios For the stable distribution (buster), this problem has been fixed in version 342-1+deb10u3 We recommend that yo ...

A flaw was found in spamassassin Malicious rule configuration (cf) files can be configured to run system commands without any output or errors allowing exploits to be injected in a number of scenarios The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability (CVE-2020-1946) ...

A flaw was found in spamassassin Malicious rule configuration (cf) files can be configured to run system commands without any output or errors allowing exploits to be injected in a number of scenarios The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability ...

In Apache SpamAssassin before 345, malicious rule configuration (cf) files can be configured to run system commands without any output or errors With this, exploits can be injected in a number of scenarios In addition to upgrading to pamAssassin version 345, users should only use update channels or 3rd party cf files from trusted places ...

CWE-78 https://s.apache.org/3r1wh https://www.debian.org/security/2021/dsa-4879 https://lists.debian.org/debian-lts-announce/2021/04/msg00000.html https://security.gentoo.org/glsa/202105-26 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7V2SBVTKVLFFT36ECJQ7TQ7KAQCQZDRZ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JFBFRIG5TX23NF4ND6OAKKY7I6TLRCCP/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NKAXYBKBMQOLIW6UKASJCAZRBOIYS4RL/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985962 https://nvd.nist.gov https://www.debian.org/security/2021/dsa-4879

CVE-2020-1946

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect