CyberSec.Space Logo
Back to CVE Browser

CVE-2020-7247

Known Exploited (CISA KEV)CRITICAL
9.8
CVSS Severity Score
EPSS Score33.4850%
EPSS Percentile88.23th
PublishedJan 29, 2020
Last ModifiedNov 7, 2025

Vulnerability Description

smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.

Affected Platforms (CPE)

πŸ“¦
Openbsd

Opensmtpd

= 6.6
πŸ’»
Debian

Debian Linux

= 9.0
πŸ’»
Debian

Debian Linux

= 10.0
πŸ’»
Fedoraproject

Fedora

= 32
πŸ’»
Canonical

Ubuntu Linux

= 18.04
πŸ’»
Canonical

Ubuntu Linux

= 19.10

References & Advisories

πŸ”— http://packetstormsecurity.com/files/156137/OpenBSD-OpenSMTPD-Privilege-Escalation-Code-Execution.html
πŸ”— http://packetstormsecurity.com/files/156145/OpenSMTPD-6.6.2-Remote-Code-Execution.html
πŸ”— http://packetstormsecurity.com/files/156249/OpenSMTPD-MAIL-FROM-Remote-Code-Execution.html
πŸ”— http://packetstormsecurity.com/files/156295/OpenSMTPD-6.6.1-Local-Privilege-Escalation.html
πŸ”— http://packetstormsecurity.com/files/162093/OpenBSD-OpenSMTPD-6.6-Remote-Code-Execution.html
πŸ”— http://seclists.org/fulldisclosure/2020/Jan/49
πŸ”— http://www.openwall.com/lists/oss-security/2020/01/28/3
πŸ”— https://github.com/openbsd/src/commit/9dcfda045474d8903224d175907bfc29761dcb45

Related Vulnerabilities

CVE-2020-87949.8

OpenSMTPD before 6.6.4 allows remote code execution because of an out-of-bounds read in mta_io in mta_session.c for multi-line rep...

CVE-2015-76879.8

Use-after-free vulnerability in OpenSMTPD before 5.7.2 allows remote attackers to cause a denial of service (crash) or execute arb...

CVE-2020-356807.5

smtpd/lka_filter.c in OpenSMTPD before 6.8.0p1, in certain configurations, allows remote attackers to cause a denial of service (N...

CVE-2020-356797.5

smtpd/table.c in OpenSMTPD before 6.8.0p1 lacks a certain regfree, which might allow attackers to trigger a "very significant" mem...