Local User Code Injection in Apache SpamAssassin by The Apache Software Foundation
CVE-2018-11781

7.8HIGH

Key Information:

Vendor
Apache
Status
Apache Spamassassin
Vendor
CVE Published:
17 September 2018

Summary

A local user code injection vulnerability exists in Apache SpamAssassin that could allow unauthorized code execution through improper handling of meta rule syntax. This flaw can be leveraged by an attacker with local user access to compromise the integrity of the application and potentially influence its behavior. An upgrade to version 3.4.2 is recommended to mitigate this security risk.

Affected Version(s)

Apache SpamAssassin before 3.4.2

References

https://usn.ubuntu.com/3811-3/
vendor-advisoryx_refsource_UBUNTU
https://usn.ubuntu.com/3811-1/
vendor-advisoryx_refsource_UBUNTU
https://security.gentoo.org/glsa/201812-07
vendor-advisoryx_refsource_GENTOO

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.