CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
92.2%
Software: spamassassin 3.4.0
OS: Cobalt 7.9
CVE-ID: CVE-2018-11780
CVE-Crit: CRITICAL
CVE-DESC: A potential remote code execution bug exists with the PDFInfo plugin in Apache SpamAssassin before 3.4.2.
CVE-STATUS: Default
CVE-REV: default
CVE-ID: CVE-2018-11805
CVE-Crit: MEDIUM
CVE-DESC: In Apache SpamAssassin before 3.4.3, nefarious CFs can be configured to execute system commands without any output or errors. In doing so, exploits can be injected in multiple scenarios. In addition to upgrading to SA 3.4.3, we recommend that users use only update channels or third-party .cf files from trusted locations.
CVE-STATUS: default
CVE-REV: default
CVE-ID: CVE-2020-1930
CVE-Crit: HIGH
CVE-DESC: A command execution issue was discovered in Apache SpamAssassin before 3.4.3. Carefully crafted rogue rule configuration files (.cf) can be configured to execute system commands like CVE-2018-11805. If this bug is not fixed, exploits can be introduced in a number of scenarios, including the same privileges that can be elevated when running spamd, although it is difficult to do so remotely. In addition to upgrading to SA 3.4.4, we again recommend that users only use update feeds or third-party .cf files from trusted locations. If you cannot upgrade, do not use third-party rule sets, do not use sa-compile, and do not run spamd as an account with elevated privileges.
CVE-STATUS: default
CVE-REV: default
CVE-ID: CVE-2020-1931
CVE-Crit: HIGH
CVE-DESC: A command execution issue was discovered in Apache SpamAssassin before 3.4.3. Carefully crafted nefarious configuration files (.cf) can be configured to execute system commands like CVE-2018-11805. This issue is less stealthy and attempts to exploit it will trigger warnings. Thanks to Damian Lukowski at credativ for ethically reporting this issue. If this bug is not fixed, exploits can be introduced in a number of scenarios, although it is difficult to do so remotely. In addition to upgrading to SA 3.4.4, we again recommend that users only use update feeds or third-party .cf files from trusted locations.
CVE-STATUS: default
CVE-REV: default
CVE-ID: CVE-2020-1946
CVE-Crit: CRITICAL
CVE-DESC: In Apache SpamAssassin before 3.4.5, malicious rule configuration files (.cf) can be configured to execute system commands without any output or errors. In doing so, exploits can be implemented in multiple scenarios. In addition to upgrading to SA version 3.4.5, users should only use update feeds or third-party .cf files from trusted locations.
CVE-STATUS: default
CVE-REV: default
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Cobalt | any | noarch | spamassassin | < 3.4.0 | UNKNOWN |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
92.2%