Description In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf files from trusted places.
CVSS vector CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Exploitability: 0.8 | Impact: 5.9 Attack Vector: Local
Complexity: Low
Privileges: High
User Interaction: None
Scope: Unchanged
Confidentiality: High
Integrity: High
Availability: High
Affected Packages5 packages Also affects: Debian Linux 10.0, 8.0, 9.0
🔴 Vulnerability Details5 GHSA GHSA-639c-xqgw-3jh5: In Apache SpamAssassin before 3 ↗ 2022-05-24 ▶ OSV spamassassin vulnerabilities ↗ 2020-01-15 ▶ OSV spamassassin vulnerabilities ↗ 2020-01-13 ▶ CVEList CVE-2018-11805: In Apache SpamAssassin before 3 ↗ 2019-12-12 ▶ OSV CVE-2018-11805: In Apache SpamAssassin before 3 ↗ 2019-12-12 ▶
📋 Vendor Advisories6 Red Hat spamassassin: command injection via crafted configuration file ↗ 2020-01-30 ▶ Red Hat spamassassin: command injection via crafted configuration file ↗ 2020-01-29 ▶ Ubuntu SpamAssassin vulnerabilities ↗ 2020-01-15 ▶ Ubuntu SpamAssassin vulnerabilities ↗ 2020-01-13 ▶ Red Hat spamassassin: crafted configuration files can run system commands without any output or errors ↗ 2019-12-12 ▶ Show 1 more
💬 Community4 Bugzilla CVE-2020-1930 spamassassin: command injection via crafted configuration file ↗ 2020-02-14 ▶ Bugzilla CVE-2020-1931 spamassassin: command injection via crafted configuration file ↗ 2020-02-14 ▶ Bugzilla CVE-2018-11805 spamassassin: crafted configuration files can run system commands without any output or errors ↗ 2019-12-18 ▶ Bugzilla CVE-2018-11805 spamassassin: crafted CF files can be configured to run system commands without any output or errors [fedora-all] ↗ 2019-12-18 ▶