PT-2020-2098 · Apache+5 · Apache Spamassassin+5

Published

2020-01-03

·

Updated

2024-06-15

·

CVE-2020-1931

CVSS v2.0

9.3

High

VectorAV:N/AC:M/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions Apache SpamAssassin versions prior to 3.4.3
Description A command execution issue was found in Apache SpamAssassin, where carefully crafted configuration files can be used to run system commands. This issue is less stealthy and attempts to exploit it will throw warnings. Exploits can be injected in several scenarios, although remote exploitation is difficult. The issue allows an attacker to potentially access confidential data, compromise its integrity, and cause a denial of service.
Recommendations For versions prior to 3.4.3, upgrade to SA 3.4.4. As a general precaution, only use update channels or third-party configuration files from trusted sources.

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

ALT-PU-2020-1004
ALT-PU-2020-1005
ALT-PU-2020-1038
ALT-PU-2020-1039
ALT-PU-2020-3094
ALT-PU-2020-3105
ALT-PU-2021-2780
BDU:2020-01959
CESA-2020_4625
CVE-2020-1931
DLA-2107-1
DSA-4615-1
MGASA-2020-0079
OPENSUSE-SU-2020:0446-1
OPENSUSE-SU-2020_0446-1
OPENSUSE-SU-2024:11395-1
RHSA-2020:4625
RHSA-2020_4625
SUSE-SU-2020:0810-1
SUSE-SU-2020:0811-1
SUSE-SU-2020:0813-1
USN-4265-1
USN-4265-2

Affected Products

Alt Linux
Apache Spamassassin
Centos
Red Hat
Suse
Ubuntu