CVE-2017-15705

Advisory lineage Upstream: 0 Downstream: 11

Downstream

ALPINE-CVE-2017-15705 DEBIAN-CVE-2017-15705 DLA-1578-1 MGASA-2018-0425 OPENSUSE-SU-2019:1831-1 OPENSUSE-SU-2024:11395-1

Modified

Published: 17 Sept 2018, 14:00

Last modified:16 Sept 2024, 23:15

Vulnerability Summary

Overall Risk (default)

low

22/100

CVSS Score

5.3 MEDIUM

v3.0 (nvd)

EPSS Score

1.77% LOW

2% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

17 Sept 2018, 14:00

Published

Vulnerability first disclosed

16 Sept 2024, 23:15

Last Modified

Vulnerability information updated

Description

A denial of service vulnerability was identified that exists in Apache SpamAssassin before 3.4.2. The vulnerability arises with certain unclosed tags in emails that cause markup to be handled incorrectly leading to scan timeouts. In Apache SpamAssassin, using HTML::Parser, we setup an object and hook into the begin and end tag event handlers In both cases, the "open" event is immediately followed by a "close" event - even if the tag *does not* close in the HTML being parsed. Because of this, we are missing the "text" event to deal with the object normally. This can cause carefully crafted emails that might take more scan time than expected leading to a Denial of Service. The issue is possibly a bug or design decision in HTML::Parser that specifically impacts the way Apache SpamAssassin uses the module with poorly formed html. The exploit has been seen in the wild but not believed to have been purposefully part of a Denial of Service attempt. We are concerned that there may be attempts to abuse the vulnerability in the future.

CVSS Metrics

v3.0•MEDIUM•Score: 5.3CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:N/I:N/A:P

EPSS Trends

Current EPSS score: 1.77%• Percentile: 83%

Techniques & Countermeasures

CWE-20•Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Affected Systems

apache software foundation•apache spamassassin
all modern versions before 3.4.2
apache•spamassassin
< 3.4.2
canonical•ubuntu_linux
12.04 | 14.04 | 16.04 | 18.04
debian•debian_linux
8.0
redhat•enterprise_linux_desktop
7.0
redhat•enterprise_linux_eus
7.5
redhat•enterprise_linux_server
7.0
redhat•enterprise_linux_workstation
7.0