CVE-2024-20328
published 2024-03-01CVE-2024-20328: A vulnerability in the VirusEvent feature of ClamAV could allow a local attacker to inject arbitrary commands with the privileges of the application service…
PriorityP354medium5.3CVSS 3.1
AVLACLPRLUINSUCLILAL
EPSS
84.84%
99.7th percentile
A vulnerability in the VirusEvent feature of ClamAV could allow a local attacker to inject arbitrary commands with the privileges of the application service account.The vulnerability is due to unsafe handling of file names. A local attacker could exploit this vulnerability by supplying a file name containing command-line sequences. When processed on a system using configuration options for the VirusEvent feature, the attacker could cause the application to execute arbitrary commands.
ClamAV has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cisco | clamav | — | — |
| cisco | clamav | — | — |
| clamav | clamav | >= 0 < 1.0.5+dfsg-1~deb12u1 | 1.0.5+dfsg-1~deb12u1 |
| clamav | clamav | >= 0 < 1.0.5+dfsg-1 | 1.0.5+dfsg-1 |
| clamav | clamav | >= 0 < 1.0.5+dfsg-1 | 1.0.5+dfsg-1 |
| clamav | clamav | >= 0 < 1.0.5+dfsg-0ubuntu0.23.10.1 | 1.0.5+dfsg-0ubuntu0.23.10.1 |
| clamav | clamav | >= 1.0.0 < 1.0.5 | 1.0.5 |
| clamav | clamav | >= 1.2.0 < 1.2.2 | 1.2.2 |
| debian | clamav | < clamav 1.0.5+dfsg-1~deb12u1 (bookworm) | clamav 1.0.5+dfsg-1~deb12u1 (bookworm) |
| msrc | azl3_clamav_0.105.2-4_on_azure_linux_3.0 | — | — |
| msrc | azl3_clamav_1.0.6-1_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_clamav_0.105.2-5_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The VirusEvent feature in ClamAV (clamd) is the attack surface; monitor for unexpected command execution spawned from the clamd process, particularly when filenames contain shell metacharacters or command-line sequences. ↗
- →An attacker able to connect to ClamD (clamd socket/port) could trigger this vulnerability via the VirusEvent feature; monitor for unusual or unauthorized connections to the ClamD service. ↗
- →The vulnerability is triggered when VirusEvent configuration options are active in clamd.conf; audit systems for VirusEvent directives and alert on child processes spawned by clamd with suspicious arguments. ↗
- ·The vulnerability only manifests when the VirusEvent feature is enabled in ClamAV configuration; systems without VirusEvent configured are not exploitable via this vector. ↗
- ·There are no workarounds available; the only remediation is upgrading to a patched ClamAV release (e.g., Debian fixed in 1.0.5+dfsg-1~deb12u1 for bookworm). ↗
- ·Exploitation requires local attacker access to submit a malicious filename to the ClamD service; the injected commands execute with the privileges of the ClamAV application service account. ↗
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
osv7.5HIGH
vendor_ubuntu7.5HIGH
vendor_debian5.3MEDIUM
vendor_msrc5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
ClamAV VirusEvent File Processing Command Injection Vulnerability
vendor_msrc·2024-03-12·CVSS 5.3
CVE-2024-20328 [MEDIUM] CWE-78 ClamAV VirusEvent File Processing Command Injection Vulnerability
ClamAV VirusEvent File Processing Command Injection Vulnerability
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
cisco: cisco
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: htt
Ubuntu
ClamAV vulnerabilities
vendor_ubuntu·2024-02-14·CVSS 7.5
CVE-2024-20328 [HIGH] ClamAV vulnerabilities
Title: ClamAV vulnerabilities
Summary: Several security issues were fixed in ClamAV.
It was discovered that ClamAV incorrectly handled parsing certain OLE2
files. A remote attacker could possibly use this issue to cause ClamAV to
crash, resulting in a denial of service. (CVE-2024-20290)
Amit Schendel discovered that the ClamAV ClamD service incorrectly handled
the VirusEvent feature. An attacker able to connect to ClamD could possibly
use this issue to execute arbitrary code. (CVE-2024-20328)
Instructions: This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.
Debian
CVE-2024-20328: clamav - A vulnerability in the VirusEvent feature of ClamAV could allow a local attacker...
vendor_debian·2024·CVSS 5.3
CVE-2024-20328 [MEDIUM] CVE-2024-20328: clamav - A vulnerability in the VirusEvent feature of ClamAV could allow a local attacker...
A vulnerability in the VirusEvent feature of ClamAV could allow a local attacker to inject arbitrary commands with the privileges of the application service account.The vulnerability is due to unsafe handling of file names. A local attacker could exploit this vulnerability by supplying a file name containing command-line sequences. When processed on a system using configuration options for the VirusEvent feature, the attacker could cause the application to execute arbitrary commands. ClamAV has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
Scope: local
bookworm: resolved (fixed in 1.0.5+dfsg-1~deb12u1)
bullseye: resolved
forky: resolved (fixed in 1.0.5+dfsg-1)
sid: resolved (fixed in 1.0.5+dfsg-1)
trixie: resolved (fixe
GHSA
GHSA-vhq6-cjc8-x8v9: A vulnerability in the VirusEvent feature of ClamAV could allow a local attacker to inject arbitrary commands with the privileges of the application s
ghsa_unreviewed·2024-03-01
CVE-2024-20328 [MEDIUM] CWE-78 GHSA-vhq6-cjc8-x8v9: A vulnerability in the VirusEvent feature of ClamAV could allow a local attacker to inject arbitrary commands with the privileges of the application s
A vulnerability in the VirusEvent feature of ClamAV could allow a local attacker to inject arbitrary commands with the privileges of the application service account.The vulnerability is due to unsafe handling of file names. A local attacker could exploit this vulnerability by supplying a file name containing command-line sequences. When processed on a system using configuration options for the VirusEvent feature, the attacker could cause the application to execute arbitrary commands.
ClamAV has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
OSV
CVE-2024-20328: A vulnerability in the VirusEvent feature of ClamAV could allow a local attacker to inject arbitrary commands with the privileges of the application s
osv·2024-03-01·CVSS 5.3
CVE-2024-20328 [MEDIUM] CVE-2024-20328: A vulnerability in the VirusEvent feature of ClamAV could allow a local attacker to inject arbitrary commands with the privileges of the application s
A vulnerability in the VirusEvent feature of ClamAV could allow a local attacker to inject arbitrary commands with the privileges of the application service account.The vulnerability is due to unsafe handling of file names. A local attacker could exploit this vulnerability by supplying a file name containing command-line sequences. When processed on a system using configuration options for the VirusEvent feature, the attacker could cause the application to execute arbitrary commands. ClamAV has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
OSV
clamav vulnerabilities
osv·2024-02-14·CVSS 7.5
CVE-2024-20290 [HIGH] clamav vulnerabilities
clamav vulnerabilities
It was discovered that ClamAV incorrectly handled parsing certain OLE2
files. A remote attacker could possibly use this issue to cause ClamAV to
crash, resulting in a denial of service. (CVE-2024-20290)
Amit Schendel discovered that the ClamAV ClamD service incorrectly handled
the VirusEvent feature. An attacker able to connect to ClamD could possibly
use this issue to execute arbitrary code. (CVE-2024-20328)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-03-01
Published