CVE-2020-1946: In Apache SpamAssassin before 3.4.5, malicious rule configuration (.cf) files can be configured to run system commands without any output or errors. With this…

critical9.8CVSS 3.1

AVNACLPRNUINSUCHIHAH

In Apache SpamAssassin before 3.4.5, malicious rule configuration (.cf) files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA version 3.4.5, users should only use update channels or 3rd party .cf files from trusted places.

Affected

12 ranges

Vendor	Product	Version range	Fixed in
apache	spamassassin	< 3.4.5	3.4.5
apache	spamassassin	>= 0 < 3.4.5~pre1-1	3.4.5~pre1-1
apache	spamassassin	>= 0 < 3.4.5~pre1-1	3.4.5~pre1-1
apache	spamassassin	>= 0 < 3.4.5~pre1-1	3.4.5~pre1-1
apache	spamassassin	>= 0 < 3.4.5~pre1-1	3.4.5~pre1-1
apache_software_foundation	apache_spamassassin	>= Apache SpamAssassin < 3.4.5	3.4.5
debian	debian_linux	—	—
debian	debian_linux	—	—
debian	spamassassin	< spamassassin 3.4.5~pre1-1 (bookworm)	spamassassin 3.4.5~pre1-1 (bookworm)
fedoraproject	fedora	—	—
fedoraproject	fedora	—	—
fedoraproject	fedora	—	—

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

osv9.8CRITICAL