CVE-2020-1946

Updated: 2024-11-30 02:43:20.572001

Description:

In Apache SpamAssassin before 3.4.5, malicious rule configuration (.cf) files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA version 3.4.5, users should only use update channels or 3rd party .cf files from trusted places.


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x HIGH 10
CVSS Version 3.x CRITICAL 9.8

Status

OS name Project name Version Score Severity Status Errata Last updated

Statement

CentOS 6 ELS spamassassin 3.3.1 9.8 CRITICAL Ignored 2024-05-07 05:18:08
CentOS 8.4 ELS spamassassin 3.4.4 9.8 CRITICAL Released CLSA-2023:1684174025 2023-05-15 17:06:25
CentOS 8.5 ELS spamassassin 3.4.4 9.8 CRITICAL Not Vulnerable 2023-05-15 11:04:52
CloudLinux 6 ELS spamassassin 3.3.1 9.8 CRITICAL Ignored 2024-05-07 05:18:08
Oracle Linux 6 ELS spamassassin 3.3.1 9.8 CRITICAL Ignored 2024-05-07 05:18:08
Ubuntu 16.04 ELS spamassassin 3.4.2 9.8 CRITICAL Not Vulnerable 2023-05-15 11:04:52