9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
Apache SpamAssassin is vulnerable to command injection. malicious rule configuration (.cf) files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios.
lists.debian.org/debian-lts-announce/2021/04/msg00000.html
lists.fedoraproject.org/archives/list/[email protected]/message/7V2SBVTKVLFFT36ECJQ7TQ7KAQCQZDRZ/
lists.fedoraproject.org/archives/list/[email protected]/message/JFBFRIG5TX23NF4ND6OAKKY7I6TLRCCP/
lists.fedoraproject.org/archives/list/[email protected]/message/NKAXYBKBMQOLIW6UKASJCAZRBOIYS4RL/
s.apache.org/3r1wh
security-tracker.debian.org/tracker/CVE-2020-1946
security.gentoo.org/glsa/202105-26
www.debian.org/security/2021/dsa-4879
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C