Lucene search

K
cvelistApacheCVELIST:CVE-2020-1946
HistoryMar 25, 2021 - 9:20 a.m.

CVE-2020-1946 Apache SpamAssassin has an OS Command Injection vulnerability

2021-03-2509:20:11
CWE-78
apache
www.cve.org
1

9.5 High

AI Score

Confidence

High

0.016 Low

EPSS

Percentile

87.6%

In Apache SpamAssassin before 3.4.5, malicious rule configuration (.cf) files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA version 3.4.5, users should only use update channels or 3rd party .cf files from trusted places.

CNA Affected

[
  {
    "product": "Apache SpamAssassin",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "3.4.5",
        "status": "affected",
        "version": "Apache SpamAssassin",
        "versionType": "custom"
      }
    ]
  }
]