9 matches found
CVE-2016-1238
CVE-2016-1238 affects SpamAssassin (Debian advisory DLA-1578-1). The issue arises when Perl programs do not properly remove trailing periods from the includes directory array, which can allow a local attacker to load a Trojan horse module from the current working directory and gain privileges. De...
CVE-2019-12420
In Apache SpamAssassin, versions prior to 3.4.3 are affected by CVE-2019-12420: a specially crafted message can cause excessive resource consumption, resulting in a denial of service. The recommended remediation is to upgrade to SpamAssassin 3.4.3 as soon as possible. Some advisories also note th...
CVE-2018-11805
In Apache SpamAssassin, multiple CVEs (notably CVE-2018-11805 and CVE-2020-1930) describe a command-execution flaw in which crafted configuration files (.cf) can run system commands with same privileges as the spamd process. The root cause is untrusted or crafted rule/config files enabling local ...
CVE-2020-1946
CVE-2020-1946 affects Apache SpamAssassin prior to 3.4.5. Malicious rule configuration files (.cf) can be crafted to execute system commands without output or errors, enabling command execution in multiple scenarios. Root cause: untrusted .cf content can trigger privileged actions. Impact: potent...
CVE-2020-1930
In CVE-2020-1930, Apache SpamAssassin contains a command-injection vulnerability in the .cf parsing path. Crafted configuration files can cause system commands to execute with the same privileges as the spamd process, potentially elevating access. The issue affects SpamAssassin before the patched...
CVE-2020-1931
Apache SpamAssassin prior to 3.4.3 contains a command-injection vulnerability where specially crafted configuration files (.cf) can cause execution of system commands. The issue is explicitly tied to CVE-2020-1931 and is part of a family of remote-impact flaws affecting the SpamAssassin workflow,...
CVE-2018-11780
Apache SpamAssassin is affected by CVE-2018-11780 due to a potential Remote Code Execution in the PDFInfo plugin prior to version 3.4.2. Connected sources confirm SpamAssassin and PDFInfo as the vulnerable components, with upstream/vendors recommending upgrading to 3.4.2 or newer to mitigate. The...
CVE-2017-15705
The CVE-2017-15705 entry concerns Apache SpamAssassin before 3.4.2, where crafted emails with unclosed HTML tags can trigger scan timeouts and Denial of Service. The root cause is tied to HTML::Parser usage in SpamAssassin: begin/end tag events are followed by an immediate close, causing the miss...
CVE-2018-11781
CVE-2018-11781 is an Apache SpamAssassin vulnerability describing a local user code injection in the meta rule syntax. Affected software is SpamAssassin 3.4.2 (upstream) with fixes implemented to address the issue. Deb/kern sources indicate this is a local-execution flaw rather than remote, tied ...