Denial of Service Vulnerability in Apache SpamAssassin by The Apache Software Foundation
CVE-2017-15705

5.3MEDIUM

Key Information:

Vendor
Apache
Status
Apache Spamassassin
Vendor
CVE Published:
17 September 2018

Summary

A denial of service vulnerability exists in Apache SpamAssassin prior to version 3.4.2, linked to the mishandling of unclosed HTML tags in emails. When certain malformed HTML is parsed, the Apache SpamAssassin's use of HTML::Parser may lead to improper event handling, resulting in scan timeouts. This flaw can allow attackers to send carefully crafted emails that invoke excessive scan times, potentially disrupting email filtering services. Although the vulnerability has been exploited in the past, it hasn't been conclusively tied to malicious intentions. Future exploitation attempts cannot be ruled out.

Affected Version(s)

Apache SpamAssassin all modern versions before 3.4.2

References

https://usn.ubuntu.com/3811-2/
vendor-advisoryx_refsource_UBUNTU
https://usn.ubuntu.com/3811-1/
vendor-advisoryx_refsource_UBUNTU
https://security.gentoo.org/glsa/201812-07
vendor-advisoryx_refsource_GENTOO

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.