Lucene search

[email protected]CVE-2020-1931

HistoryJan 30, 2020 - 6:15 p.m.

CVE-2020-1931

2020-01-3018:15:00

CWE-78

[email protected]

web.nvd.nist.gov

207

cve

2020

1931

apache

spamassassin

command execution

vulnerability

security

nvd

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

7 High

AI Score

Confidence

High

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.009 Low

EPSS

Percentile

82.1%

JSON

A command execution issue was found in Apache SpamAssassin prior to 3.4.3. Carefully crafted nefarious Configuration (.cf) files can be configured to run system commands similar to CVE-2018-11805. This issue is less stealthy and attempts to exploit the issue will throw warnings. Thanks to Damian Lukowski at credativ for reporting the issue ethically. With this bug unpatched, exploits can be injected in a number of scenarios though doing so remotely is difficult. In addition to upgrading to SA 3.4.4, we again recommend that users should only use update channels or 3rd party .cf files from trusted places.

CPENameOperatorVersion
apache:spamassassinapache spamassassinlt3.4.3

CPE	Name	Operator	Version
apache:spamassassin	apache spamassassin	lt	3.4.3

References

lists.opensuse.org/opensuse-security-announce/2020-04/msg00003.html

bz.apache.org/SpamAssassin/show_bug.cgi?id=7784

lists.debian.org/debian-lts-announce/2020/02/msg00015.html

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B7SY2LUSH2X3IUXN4EQQ5A6QVUFYIV3D/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOVVKFP2G2AF5GHAB4WMHOEX76A3H6CE/

seclists.org/bugtraq/2020/Feb/1

usn.ubuntu.com/4265-1/

usn.ubuntu.com/4265-2/

www.debian.org/security/2020/dsa-4615

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

7 High

AI Score

Confidence

High

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.009 Low

EPSS

Percentile

82.1%

JSON

Related for CVE-2020-1931

prion4 redhatcve3 veracode2 nessus29 ubuntucve4 debiancve4 osv7 alpinelinux3 openvas24 suse1 freebsd3 almalinux1 oraclelinux1 redhat1 fedora2 debian7 ubuntu4 rosalinux1 mageia2 cve3 amazon1