Command Execution Vulnerability in Apache SpamAssassin by The Apache Software Foundation
CVE-2020-1931

8.1HIGH

Key Information:

Vendor
Apache
Status
Apache Spamassassin
Vendor
CVE Published:
30 January 2020

Summary

Apache SpamAssassin versions prior to 3.4.3 are vulnerable to a command execution issue where an attacker can craft malicious configuration files to execute system commands. Although remote exploitation is challenging, the vulnerability can still be exploited under certain conditions. This flaw is similar to the previously reported CVE-2018-11805 and does not exploit stealthily, raising alerts when attempted. Users are urged to update to version 3.4.4 to safeguard against this vulnerability and should only utilize trusted update channels and third-party configuration files.

Affected Version(s)

Apache SpamAssassin prior to 3.4.3

References

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7784
x_refsource_CONFIRM
https://www.debian.org/security/2020/dsa-4615
vendor-advisoryx_refsource_DEBIAN
https://seclists.org/bugtraq/2020/Feb/1
mailing-listx_refsource_BUGTRAQ

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.