CVE-2020-1946
Description
In Apache SpamAssassin before 3.4.5, malicious rule configuration (.cf) files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA version 3.4.5, users should only use update channels or 3rd party .cf files from trusted places.
Risk Information
Base Score
9.8
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
1.495
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| spamassassin security update(DSA-4879-1) spamassassin_3.4.2-1+deb10u3_all.deb | Linux |
| Perl-based spam filter using text analysis (USN-4899-1) spamassassin_3.4.4-1ubuntu1.1_all.deb | Linux |
| Perl-based spam filter using text analysis (USN-4899-1) spamassassin_3.4.2-0ubuntu0.16.04.5_all.deb | Linux |
| Perl-based spam filter using text analysis (USN-4899-1) spamassassin_3.4.2-0ubuntu0.18.04.5_all.deb | Linux |
| SUSE-SU-2021:1152-1(SUSE Linux Enterprise Server 12-SP5 ) perl-Mail-SpamAssassin-3.4.5-44.13.1.x86_64.rpm | Linux |
| SUSE-SU-2021:1152-1(SUSE Linux Enterprise Server 12-SP5 ) spamassassin-debuginfo-3.4.5-44.13.1.x86_64.rpm | Linux |
| SUSE-SU-2021:1152-1(SUSE Linux Enterprise Server 12-SP5 ) spamassassin-debugsource-3.4.5-44.13.1.x86_64.rpm | Linux |
| SUSE-SU-2021:1152-1(SUSE Linux Enterprise Server 12-SP5 ) spamassassin-3.4.5-44.13.1.x86_64.rpm | Linux |
| SUSE-SU-2021:1163-1(SUSE Linux Enterprise Module for Basesystem 15-SP3 ) spamassassin-3.4.5-12.10.1.x86_64.rpm | Linux |
| SUSE-SU-2021:1163-1(SUSE Linux Enterprise Module for Basesystem 15-SP3 ) perl-Mail-SpamAssassin-3.4.5-12.10.1.x86_64.rpm | Linux |
| SUSE-SU-2021:1163-1(SUSE Linux Enterprise Module for Basesystem 15-SP3 ) spamassassin-debuginfo-3.4.5-12.10.1.x86_64.rpm | Linux |
| SUSE-SU-2021:1163-1(SUSE Linux Enterprise Module for Basesystem 15-SP3 ) spamassassin-debugsource-3.4.5-12.10.1.x86_64.rpm | Linux |
| SUSE-SU-2021:1163-1(SUSE Linux Enterprise Module for Development Tools 15-SP3 ) perl-Mail-SpamAssassin-Plugin-iXhash2-2.05-12.10.1.x86_64.rpm | Linux |
| (RHSA-2021:4315)Moderate: security update spamassassin-3.4.4-4.el8.x86_64.rpm | Linux |
| (RHSA-2021:4315)Moderate: security update spamassassin-debuginfo-3.4.4-4.el8.x86_64.rpm | Linux |
| (RHSA-2021:4315)Moderate: security update spamassassin-debugsource-3.4.4-4.el8.x86_64.rpm | Linux |
| Spamassassin update (ELSA-2021-4315) spamassassin-3.4.4-4.el8.x86_64.rpm | Linux |
| spamassassin Security Update (ALAS-2021-1642) spamassassin-3.4.4-3.amzn2.0.1.x86_64.rpm | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234