返回 CVE 瀏覽器

CVE-2020-1946

CRITICAL

9.8

CVSS Severity Score

EPSS Score0.0710%

EPSS Percentile3.71th

Published2021年3月25日

Last Modified2024年11月21日

Vulnerability Description

In Apache SpamAssassin before 3.4.5, malicious rule configuration (.cf) files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA version 3.4.5, users should only use update channels or 3rd party .cf files from trusted places.

Affected Platforms (CPE)

📦

Apache

Spamassassin

< 3.4.5

💻

Debian

Debian Linux

= 9.0

💻

Debian

Debian Linux

= 10.0

💻

Fedoraproject

Fedora

= 32

💻

Fedoraproject

Fedora

= 33

💻

Fedoraproject

Fedora

= 34

References & Advisories

🔗 https://lists.debian.org/debian-lts-announce/2021/04/msg00000.html

🔗 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7V2SBVTKVLFFT36ECJQ7TQ7KAQCQZDRZ/

🔗 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JFBFRIG5TX23NF4ND6OAKKY7I6TLRCCP/

🔗 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NKAXYBKBMQOLIW6UKASJCAZRBOIYS4RL/

🔗 https://s.apache.org/3r1wh

🔗 https://security.gentoo.org/glsa/202105-26

🔗 https://www.debian.org/security/2021/dsa-4879

🔗 https://lists.debian.org/debian-lts-announce/2021/04/msg00000.html

相關漏洞威脅

CVE-2018-117809.8

A potential Remote Code Execution bug exists with the PDFInfo plugin in Apache SpamAssassin before 3.4.2.

CVE-2010-11329.3

The mlfi_envrcpt function in spamass-milter.cpp in SpamAssassin Milter Plugin 0.3.1, when using the expand option, allows remote a...

CVE-2020-19318.1

A command execution issue was found in Apache SpamAssassin prior to 3.4.3. Carefully crafted nefarious Configuration (.cf) files c...

CVE-2020-19308.1

A command execution issue was found in Apache SpamAssassin prior to 3.4.3. Carefully crafted nefarious rule configuration (.cf) fi...