Updated: 2024-11-30 02:43:20.572001
Description:
In Apache SpamAssassin before 3.4.5, malicious rule configuration (.cf) files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA version 3.4.5, users should only use update channels or 3rd party .cf files from trusted places.
Links | NIST | CIRCL | RHEL | Ubuntu |
Severity | Score | |
---|---|---|
CVSS Version 2.x | HIGH | 10 |
CVSS Version 3.x | CRITICAL | 9.8 |
OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
---|---|---|---|---|---|---|---|---|
CentOS 6 ELS | spamassassin | 3.3.1 | 9.8 | CRITICAL | Ignored | 2024-05-07 05:18:08 | ||
CentOS 8.4 ELS | spamassassin | 3.4.4 | 9.8 | CRITICAL | Released | CLSA-2023:1684174025 | 2023-05-15 17:06:25 | |
CentOS 8.5 ELS | spamassassin | 3.4.4 | 9.8 | CRITICAL | Not Vulnerable | 2023-05-15 11:04:52 | ||
CloudLinux 6 ELS | spamassassin | 3.3.1 | 9.8 | CRITICAL | Ignored | 2024-05-07 05:18:08 | ||
Oracle Linux 6 ELS | spamassassin | 3.3.1 | 9.8 | CRITICAL | Ignored | 2024-05-07 05:18:08 | ||
Ubuntu 16.04 ELS | spamassassin | 3.4.2 | 9.8 | CRITICAL | Not Vulnerable | 2023-05-15 11:04:52 |