CVE-2020-1930

Advisory lineage Upstream: 0 Downstream: 14
Modified
Published: 30 Jan 2020, 17:42
Last modified:04 Aug 2024, 06:54

Vulnerability Summary

Overall Risk (default)
high
70/100
CVSS Score
9.3 HIGH
v2.0 (nvd)
EPSS Score
0.97% LOW
1% probability -0.42%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

30 Jan 2020, 17:42
Published
Vulnerability first disclosed
04 Aug 2024, 06:54
Last Modified
Vulnerability information updated

Description

A command execution issue was found in Apache SpamAssassin prior to 3.4.3. Carefully crafted nefarious rule configuration (.cf) files can be configured to run system commands similar to CVE-2018-11805. With this bug unpatched, exploits can be injected in a number of scenarios including the same privileges as spamd is run which may be elevated though doing so remotely is difficult. In addition to upgrading to SA 3.4.4, we again recommend that users should only use update channels or 3rd party .cf files from trusted places. If you cannot upgrade, do not use 3rd party rulesets, do not use sa-compile and do not run spamd as an account with elevated privileges.

CVSS Metrics

  • v3.1HIGHScore: 8.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  • v2.0HIGHScore: 9.3AV:N/AC:M/Au:N/C:C/I:C/A:C

EPSS Trends

Current EPSS score: 0.97% Percentile: 77%

Techniques & Countermeasures

  • CWE-78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

    The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Affected Systems

  • apache software foundationapache spamassassin

    prior to 3.4.3

  • apachespamassassin

    < 3.4.3

References (10)