PT-2020-5863 · Apache+8 · Apache Spamassassin+8

Damian Lukowski

Published

2020-12-31

Updated

2024-06-15

CVE-2020-1946

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions: Apache SpamAssassin versions prior to 3.4.5

Description: The issue allows malicious rule configuration (.cf) files to be configured to run system commands without any output or errors, enabling exploits to be injected in various scenarios. Users should only use update channels or 3rd party .cf files from trusted places.

Recommendations: For Apache SpamAssassin versions prior to 3.4.5, upgrade to version 3.4.5 to resolve the issue. As a temporary workaround, consider restricting the use of .cf files from untrusted sources until the upgrade is applied. Additionally, only use update channels or 3rd party .cf files from trusted places to minimize the risk of exploitation.

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

ALSA-2021:4315

ALT-PU-2021-1557

ALT-PU-2021-1558

ALT-PU-2021-1571

ALT-PU-2021-1572

ALT-PU-2021-2780

ALT-PU-2021-2781

BDU:2021-01910

CESA-2021_4315

CVE-2020-1946

DLA-2615-1

DSA-4879-1

MGASA-2021-0182

OPENSUSE-SU-2021:0551-1

OPENSUSE-SU-2021_0551-1

OPENSUSE-SU-2024:11395-1

RHSA-2021:4315

RHSA-2021_4315

RLSA-2021:4315

SUSE-SU-2021:1152-1

SUSE-SU-2021:1153-1

SUSE-SU-2021:1163-1

USN-4899-1

USN-4899-2

Affected Products

Alt Linux

Almalinux

Apache Spamassassin

Centos

Linuxmint

Red Hat

Rocky Linux

Suse

Ubuntu

PT-2020-5863 · Apache+8 · Apache Spamassassin+8

CVE-2020-1946

Weakness Enumeration

Related Identifiers

Affected Products

References · 68