Apache SpamAssassin has an OS Command Injection vulnerability
CVE-2020-1946

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Spamassassin
Vendor: CVE Published:; 25 March 2021

Summary

In Apache SpamAssassin before 3.4.5, malicious rule configuration (.cf) files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA version 3.4.5, users should only use update channels or 3rd party .cf files from trusted places.

Affected Version(s)

Apache SpamAssassin Apache SpamAssassin < 3.4.5

References

https://s.apache.org/3r1wh

x_refsource_MISC

https://www.debian.org/security/2021/dsa-4879

vendor-advisoryx_refsource_DEBIAN

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisoryx_refsource_FEDORA

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 25, 2021
Vulnerability Reserved
Dec 2, 2019

Credit

Apache SpamAssassin would like to thank Damian Lukowski at credativ for ethically reporting this issue.

.