Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2006-2447

11 documents8 sources
Severity
5.1MEDIUM
EPSS
75.8%
top 1.09%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Apache Spamassassin
Timeline
PublishedJun 6
Latest updateMay 1

Description

SpamAssassin before 3.1.3, when running with vpopmail and the paranoid (-P) switch, allows remote attackers to execute arbitrary commands via a crafted message that is not properly handled when invoking spamd with the virtual pop username.

CVSS vector

AV:N/AC:H/C:P/I:P/A:PExploitability: 4.9 | Impact: 6.4

Affected Packages2 packages

Debianspamassassin< 3.1.3-1+3
NVDapache/spamassassin3.1.0, 3.1.1, 3.1.2+2

Patches

Patch: secunia.comPatch: secunia.comPatch: www.debian.org

🔴Vulnerability Details

3
GHSA
GHSA-xj48-9vrg-vxxc: SpamAssassin before 32022-05-01
OSV
CVE-2006-2447: SpamAssassin before 32006-06-06
CVEList
CVE-2006-2447: SpamAssassin before 32006-06-06

💥Exploits & PoCs

2
Exploit-DB
SpamAssassin spamd - Remote Command Execution (Metasploit)2010-04-30
Exploit-DB
SpamAssassin spamd 3.1.3 - Command Injection (Metasploit)2006-06-06

📋Vendor Advisories

2
Red Hat
security flaw2006-06-06
Debian
CVE-2006-2447: spamassassin - SpamAssassin before 3.1.3, when running with vpopmail and the paranoid (-P) swit...2006

💬Community

3
Bugzilla
CVE-2006-2447 security flaw2018-08-16
Bugzilla
CVE-2006-2447 spamassassin arbitrary command execution2006-06-06
Bugzilla
CVE-2006-2447 spamassassin arbitrary command execution2006-06-02