PT-2010-2848 · Apache · Spamassassin Milter Plugin

Published

2010-03-26

Updated

2017-08-17

CVE-2010-1132

CVSS v2.0

9.3

High

Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions SpamAssassin Milter Plugin version 0.3.1

Description The issue allows remote attackers to execute arbitrary system commands via shell metacharacters in the RCPT TO field of an email message, specifically when the expand option is used in the mlfi envrcpt function.

Recommendations For SpamAssassin Milter Plugin version 0.3.1, consider disabling the expand option in the mlfi envrcpt function as a temporary workaround until a patch is available. Restrict access to the mlfi envrcpt function to minimize the risk of exploitation. Avoid using shell metacharacters in the RCPT TO field of email messages until the issue is resolved.

Exploit

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2010-1132

DSA-2021-1

DSA-2021-2

Affected Products

Spamassassin Milter Plugin

PT-2010-2848 · Apache · Spamassassin Milter Plugin

CVE-2010-1132

Weakness Enumeration

Related Identifiers

Affected Products

References · 24