Command Execution Vulnerability in Apache SpamAssassin by The Apache Software Foundation
CVE-2020-1930

8.1HIGH

Key Information:

Vendor
Apache
Status
Apache Spamassassin
Vendor
CVE Published:
30 January 2020

Summary

A command execution vulnerability has been identified in Apache SpamAssassin versions prior to 3.4.3, allowing an attacker to exploit carefully crafted rule configuration files (.cf). These malicious configurations can trigger system commands to run with the same privileges as the spamd process, posing a significant risk, particularly if the spamd is run with elevated privileges. To mitigate the risk, upgrading to version 3.4.4 is essential. Additionally, users are advised to limit the use of third-party .cf files to trusted sources and to avoid using sa-compile or operating spamd with heightened privileges if an upgrade is not possible.

Affected Version(s)

Apache SpamAssassin prior to 3.4.3

References

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7648
x_refsource_CONFIRM
https://lists.apache.org/thread.html/r6729f3d3be754a06c39...
mailing-listx_refsource_MLIST
https://www.debian.org/security/2020/dsa-4615
vendor-advisoryx_refsource_DEBIAN

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.