CVE-2017-15705

Name of the Vulnerable Software and Affected Versions: Apache SpamAssassin versions prior to 3.4.2

Description: A denial of service issue exists due to the incorrect handling of certain unclosed tags in emails, leading to scan timeouts. This occurs because the HTML::Parser module used by Apache SpamAssassin does not properly handle the "text" event for poorly formed HTML, causing the object to be handled abnormally. The issue is believed to be related to a bug or design decision in HTML::Parser. There have been instances of this issue being exploited in the wild, although it is not thought to have been intentionally used for denial of service attacks. However, there is concern that it may be abused in the future.

Recommendations: For versions prior to 3.4.2, update to version 3.4.2 or later to resolve the issue. As a temporary workaround, consider restricting the parsing of HTML emails to minimize the risk of exploitation.