ALPINE-CVE-2020-1931

Advisory lineage Upstream: 1 Downstream: 0

Upstream

CVE-2020-1931

Published: 30 Jan 2020, 18:15

Last modified:03 Dec 2025, 22:46

Vulnerability Summary

Overall Risk (default)

medium

32/100

CVSS Score

8.1 HIGH

3.1 (osv_alpine)

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

30 Jan 2020, 18:15

Published

Vulnerability first disclosed

03 Dec 2025, 22:46

Last Modified

Vulnerability information updated

Description

A command execution issue was found in Apache SpamAssassin prior to 3.4.3. Carefully crafted nefarious Configuration (.cf) files can be configured to run system commands similar to CVE-2018-11805. This issue is less stealthy and attempts to exploit the issue will throw warnings. Thanks to Damian Lukowski at credativ for reporting the issue ethically. With this bug unpatched, exploits can be injected in a number of scenarios though doing so remotely is difficult. In addition to upgrading to SA 3.4.4, we again recommend that users should only use update channels or 3rd party .cf files from trusted places.

CVSS Metrics

v3.1•HIGH•Score: 8.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Systems

alpine•spamassassin
< 3.4.4-r0 | < 3.4.4-r0 | < 3.4.4-r0 | < 3.4.4-r0 | < 3.4.4-r0 | < 3.4.4-r0 | < 3.4.4-r0 | < 3.4.4-r0 | < 3.4.4-r0 | < 3.4.4-r0 | < 3.4.4-r0 | < 3.4.4-r0 | < 3.4.4-r0 | < 3.4.4-r0

References (1)

https://security.alpinelinux.org/vuln/CVE-2020-1931