CVE-2020-1930

CWE-78OS Command Injection9 documents8 sources
Severity
8.1HIGH
EPSS
1.4%
top 19.70%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache SpamassassinApache Software Foundation Apache Spamassassin
Timeline
PublishedJan 30
Latest updateMay 24

Description

A command execution issue was found in Apache SpamAssassin prior to 3.4.3. Carefully crafted nefarious rule configuration (.cf) files can be configured to run system commands similar to CVE-2018-11805. With this bug unpatched, exploits can be injected in a number of scenarios including the same privileges as spamd is run which may be elevated though doing so remotely is difficult. In addition to upgrading to SA 3.4.4, we again recommend that users should only use update channels or 3rd party .cf

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages3 packages

NVDapache/spamassassin< 3.4.3
Debianspamassassin< 3.4.4~rc1-1+3

🔴Vulnerability Details

3
GHSA
GHSA-pxq8-92ff-q845: A command execution issue was found in Apache SpamAssassin prior to 32022-05-24
CVEList
CVE-2020-1930: A command execution issue was found in Apache SpamAssassin prior to 32020-01-30
OSV
CVE-2020-1930: A command execution issue was found in Apache SpamAssassin prior to 32020-01-30

📋Vendor Advisories

4
Ubuntu
SpamAssassin vulnerabilities2020-02-04
Ubuntu
SpamAssassin vulnerabilities2020-02-04
Red Hat
spamassassin: command injection via crafted configuration file2020-01-30
Debian
CVE-2020-1930: spamassassin - A command execution issue was found in Apache SpamAssassin prior to 3.4.3. Caref...2020

💬Community

1
Bugzilla
CVE-2020-1930 spamassassin: command injection via crafted configuration file2020-02-14
CVE-2020-1930 (HIGH CVSS 8.1) | A command execution issue was found | cvebase.io