CVE-2020-1930
Last modified
CVE-2020-1930 is a high-severity vulnerability rated 8.1/10 on the CVSS scale. A command execution issue was found in Apache SpamAssassin prior to 3.4.3. Carefully crafted nefarious rule configuration (.cf) files can be configured to run system commands similar to CVE-2018-11805. EPSS estimates a 7.05% chance of exploitation in the next 30 days.
Description
A command execution issue was found in Apache SpamAssassin prior to 3.4.3. Carefully crafted nefarious rule configuration (.cf) files can be configured to run system commands similar to CVE-2018-11805. With this bug unpatched, exploits can be injected in a number of scenarios including the same privileges as spamd is run which may be elevated though doing so remotely is difficult. In addition to upgrading to SA 3.4.4, we again recommend that users should only use update channels or 3rd party .cf files from trusted places. If you cannot upgrade, do not use 3rd party rulesets, do not use sa-compile and do not run spamd as an account with elevated privileges.
Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apache | Spamassassin | < 3.4.3 |
References
- https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7648Permissions Required
- https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7648Permissions Required
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-1930?
How severe is CVE-2020-1930?
How do I fix CVE-2020-1930?
Are you affected by CVE-2020-1930?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST