PT-2020-2097 · Apache+5 · Apache Spamassassin+5

Kevin A. Mcgrail

·

Published

2020-01-03

·

Updated

2024-06-15

·

CVE-2020-1930

CVSS v2.0

9.3

High

VectorAV:N/AC:M/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions Apache SpamAssassin versions prior to 3.4.3
Description The issue is related to a command execution problem in the spam filter, potentially allowing a remote attacker to access confidential data, compromise its integrity, and cause a denial of service. This can occur due to malicious rule configuration files that could be downloaded from an update server. The exploitation may involve running system commands with elevated privileges, although remote exploitation is considered difficult. It is recommended to only use trusted update channels and third-party configuration files to minimize the risk.
Recommendations For versions prior to 3.4.3, upgrade to Apache SpamAssassin 3.4.4 to resolve the issue. As a temporary workaround, consider not using third-party rulesets and avoid running spamd with elevated privileges until the issue is resolved. Additionally, refrain from using sa-compile until a patch is applied.

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

ALT-PU-2020-1004
ALT-PU-2020-1005
ALT-PU-2020-1038
ALT-PU-2020-1039
ALT-PU-2020-3094
ALT-PU-2020-3105
ALT-PU-2021-2780
BDU:2020-01958
CESA-2020_4625
CVE-2020-1930
DLA-2107-1
DSA-4615-1
MGASA-2020-0079
OPENSUSE-SU-2020:0446-1
OPENSUSE-SU-2020_0446-1
OPENSUSE-SU-2024:11395-1
RHSA-2020:4625
RHSA-2020_4625
SUSE-SU-2020:0810-1
SUSE-SU-2020:0811-1
SUSE-SU-2020:0813-1
USN-4265-1
USN-4265-2

Affected Products

Alt Linux
Apache Spamassassin
Centos
Red Hat
Suse
Ubuntu