Lucene search

K
rosalinuxROSA LABROSA-SA-2021-1973
HistoryJul 02, 2021 - 6:08 p.m.

Advisory ROSA-SA-2021-1973

2021-07-0218:08:24
ROSA LAB
abf.rosalinux.ru
29
apache spamassassin
3.4.x
multiple
critical
high
remote code execution
vulnerabilities

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.5

Confidence

High

EPSS

0.04

Percentile

92.2%

Software: spamassassin 3.4.0
OS: Cobalt 7.9

CVE-ID: CVE-2018-11780
CVE-Crit: CRITICAL
CVE-DESC: A potential remote code execution bug exists with the PDFInfo plugin in Apache SpamAssassin before 3.4.2.
CVE-STATUS: Default
CVE-REV: default

CVE-ID: CVE-2018-11805
CVE-Crit: MEDIUM
CVE-DESC: In Apache SpamAssassin before 3.4.3, nefarious CFs can be configured to execute system commands without any output or errors. In doing so, exploits can be injected in multiple scenarios. In addition to upgrading to SA 3.4.3, we recommend that users use only update channels or third-party .cf files from trusted locations.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-1930
CVE-Crit: HIGH
CVE-DESC: A command execution issue was discovered in Apache SpamAssassin before 3.4.3. Carefully crafted rogue rule configuration files (.cf) can be configured to execute system commands like CVE-2018-11805. If this bug is not fixed, exploits can be introduced in a number of scenarios, including the same privileges that can be elevated when running spamd, although it is difficult to do so remotely. In addition to upgrading to SA 3.4.4, we again recommend that users only use update feeds or third-party .cf files from trusted locations. If you cannot upgrade, do not use third-party rule sets, do not use sa-compile, and do not run spamd as an account with elevated privileges.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-1931
CVE-Crit: HIGH
CVE-DESC: A command execution issue was discovered in Apache SpamAssassin before 3.4.3. Carefully crafted nefarious configuration files (.cf) can be configured to execute system commands like CVE-2018-11805. This issue is less stealthy and attempts to exploit it will trigger warnings. Thanks to Damian Lukowski at credativ for ethically reporting this issue. If this bug is not fixed, exploits can be introduced in a number of scenarios, although it is difficult to do so remotely. In addition to upgrading to SA 3.4.4, we again recommend that users only use update feeds or third-party .cf files from trusted locations.
CVE-STATUS: default
CVE-REV: default

CVE-ID: CVE-2020-1946
CVE-Crit: CRITICAL
CVE-DESC: In Apache SpamAssassin before 3.4.5, malicious rule configuration files (.cf) can be configured to execute system commands without any output or errors. In doing so, exploits can be implemented in multiple scenarios. In addition to upgrading to SA version 3.4.5, users should only use update feeds or third-party .cf files from trusted locations.
CVE-STATUS: default
CVE-REV: default

OSVersionArchitecturePackageVersionFilename
Cobaltanynoarchspamassassin< 3.4.0UNKNOWN

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.5

Confidence

High

EPSS

0.04

Percentile

92.2%