CVE-2020-1946

CWE-78 — OS Command Injection CWE-77 — Command Injection8 documents7 sources

Severity

9.8CRITICAL

EPSS

1.5%

top 18.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Spamassassin Apache Spamassassin Debian Debian Linux +1 more

Timeline

PublishedMar 25

Latest updateMay 24

Description

In Apache SpamAssassin before 3.4.5, malicious rule configuration (.cf) files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA version 3.4.5, users should only use update channels or 3rd party .cf files from trusted places.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDapache/spamassassin< 3.4.5

▶CVEListV5apache_software_foundation/apache_spamassassinApache SpamAssassin — 3.4.5

▶Debianspamassassin< 3.4.5~pre1-1+3

Also affects: Debian Linux 10.0, 9.0, Fedora 32, 33, 34

🔴Vulnerability Details

GHSA

GHSA-qmmx-pr2m-q429: In Apache SpamAssassin before 3↗2022-05-24

▶

OSV

CVE-2020-1946: In Apache SpamAssassin before 3↗2021-03-25

▶

CVEList

Apache SpamAssassin has an OS Command Injection vulnerability↗2021-03-25

▶

📋Vendor Advisories

Ubuntu

SpamAssassin vulnerability↗2021-04-12

▶

Ubuntu

SpamAssassin vulnerability↗2021-04-01

▶

Red Hat

spamassassin: Malicious rule configuration files can be configured to run system commands↗2021-03-24

▶

Debian

CVE-2020-1946: spamassassin - In Apache SpamAssassin before 3.4.5, malicious rule configuration (.cf) files ca...↗2020

▶