CVE-2020-1931OS Command Injection in Apache Spamassassin

CWE-78OS Command Injection9 documents8 sources
Severity
8.1HIGHNVD
CNA6.7OSV6.7
EPSS
1.1%
top 21.97%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache SpamassassinApache Software Foundation Apache Spamassassin
Timeline
PublishedJan 30
Latest updateMay 24

Description

A command execution issue was found in Apache SpamAssassin prior to 3.4.3. Carefully crafted nefarious Configuration (.cf) files can be configured to run system commands similar to CVE-2018-11805. This issue is less stealthy and attempts to exploit the issue will throw warnings. Thanks to Damian Lukowski at credativ for reporting the issue ethically. With this bug unpatched, exploits can be injected in a number of scenarios though doing so remotely is difficult. In addition to upgrading to SA 3.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages2 packages

NVDapache/spamassassin< 3.4.3

🔴Vulnerability Details

3
GHSA
GHSA-p22p-qh9c-7725: A command execution issue was found in Apache SpamAssassin prior to 32022-05-24
OSV
CVE-2020-1931: A command execution issue was found in Apache SpamAssassin prior to 32020-01-30
CVEList
CVE-2020-1931: A command execution issue was found in Apache SpamAssassin prior to 32020-01-30

📋Vendor Advisories

4
Ubuntu
SpamAssassin vulnerabilities2020-02-04
Ubuntu
SpamAssassin vulnerabilities2020-02-04
Red Hat
spamassassin: command injection via crafted configuration file2020-01-29
Debian
CVE-2020-1931: spamassassin - A command execution issue was found in Apache SpamAssassin prior to 3.4.3. Caref...2020

💬Community

1
Bugzilla
CVE-2020-1931 spamassassin: command injection via crafted configuration file2020-02-14
CVE-2020-1931 — OS Command Injection in Apache | cvebase