Resource Exhaustion in Apache SpamAssassin Affecting Versions Prior to 3.4.3
CVE-2019-12420

7.5HIGH

Key Information:

Vendor
Apache
Status
Apache Spamassassin
Vendor
CVE Published:
12 December 2019

Summary

In versions prior to 3.4.3 of Apache SpamAssassin, an attacker can craft specific messages that exploit the system's resources, which may lead to performance degradation or service unavailability. It is crucial for users to upgrade to version 3.4.3 or later to mitigate this vulnerability effectively. Public details about the exploit mechanism are not disclosed, emphasizing the urgency of applying the update.

Affected Version(s)

Apache SpamAssassin Apache SpamAssassin prior to 3.4.3

References

https://lists.apache.org/thread.html/64cf76749956dd08f7d5...
mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/e3c2367351286b77a74a...
mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/5ef362d6da12126fafc8...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.