CVE-2020-1946 - OpenCVE

In Apache SpamAssassin before 3.4.5, malicious rule configuration (.cf) files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA version 3.4.5, users should only use update channels or 3rd party .cf files from trusted places.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Apache	Spamassassin
Debian	Debian Linux
Fedoraproject	Fedora

Configuration 1 [-]

cpe:2.3:a:apache:spamassassin:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:10.0:::::::*

Configuration 3 [-]

OR	cpe:2.3:o:fedoraproject:fedora:32:::::::*
	cpe:2.3:o:fedoraproject:fedora:33:::::::*
	cpe:2.3:o:fedoraproject:fedora:34:::::::*

References

Link	Resource
https://lists.debian.org/debian-lts-announce/2021/04/msg00000.html	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7V2SBVTKVLFFT36ECJQ7TQ7KAQCQZDRZ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JFBFRIG5TX23NF4ND6OAKKY7I6TLRCCP/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NKAXYBKBMQOLIW6UKASJCAZRBOIYS4RL/
https://s.apache.org/3r1wh	Mailing List Vendor Advisory
https://security.gentoo.org/glsa/202105-26	Third Party Advisory
https://www.debian.org/security/2021/dsa-4879	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: apache

Published: 2021-03-25T09:20:11

Updated: 2021-05-26T11:08:51

Reserved: 2019-12-02T00:00:00

Link: CVE-2020-1946

JSON object: View

NVD Information

Status : Modified

Published: 2021-03-25T10:15:11.727

Modified: 2023-11-07T03:19:37.797

Link: CVE-2020-1946

JSON object: View

Redhat Information

No data.

CWE

CWE-78

{"containers": {"cna": {"affected": [{"product": "Apache SpamAssassin", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "3.4.5", "status": "affected", "version": "Apache SpamAssassin", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Apache SpamAssassin would like to thank Damian Lukowski at credativ for ethically reporting this issue."}], "descriptions": [{"lang": "en", "value": "In Apache SpamAssassin before 3.4.5, malicious rule configuration (.cf) files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA version 3.4.5, users should only use update channels or 3rd party .cf files from trusted places."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78 OS Command Injection", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-05-26T11:08:51", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://s.apache.org/3r1wh"}, {"name": "DSA-4879", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2021/dsa-4879"}, {"name": "FEDORA-2021-bf06dcffa8", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7V2SBVTKVLFFT36ECJQ7TQ7KAQCQZDRZ/"}, {"name": "[debian-lts-announce] 20210401 [SECURITY] [DLA 2615-1] spamassassin security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00000.html"}, {"name": "FEDORA-2021-90e915cc4f", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JFBFRIG5TX23NF4ND6OAKKY7I6TLRCCP/"}, {"name": "FEDORA-2021-5a4377797c", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NKAXYBKBMQOLIW6UKASJCAZRBOIYS4RL/"}, {"name": "GLSA-202105-26", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202105-26"}], "source": {"defect": ["https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7793"], "discovery": "UNKNOWN"}, "title": "Apache SpamAssassin has an OS Command Injection vulnerability", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2020-1946", "STATE": "PUBLIC", "TITLE": "Apache SpamAssassin has an OS Command Injection vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache SpamAssassin", "version": {"version_data": [{"version_affected": "<", "version_name": "Apache SpamAssassin", "version_value": "3.4.5"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "Apache SpamAssassin would like to thank Damian Lukowski at credativ for ethically reporting this issue."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Apache SpamAssassin before 3.4.5, malicious rule configuration (.cf) files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA version 3.4.5, users should only use update channels or 3rd party .cf files from trusted places."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-78 OS Command Injection"}]}]}, "references": {"reference_data": [{"name": "https://s.apache.org/3r1wh", "refsource": "MISC", "url": "https://s.apache.org/3r1wh"}, {"name": "DSA-4879", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-4879"}, {"name": "FEDORA-2021-bf06dcffa8", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7V2SBVTKVLFFT36ECJQ7TQ7KAQCQZDRZ/"}, {"name": "[debian-lts-announce] 20210401 [SECURITY] [DLA 2615-1] spamassassin security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00000.html"}, {"name": "FEDORA-2021-90e915cc4f", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JFBFRIG5TX23NF4ND6OAKKY7I6TLRCCP/"}, {"name": "FEDORA-2021-5a4377797c", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NKAXYBKBMQOLIW6UKASJCAZRBOIYS4RL/"}, {"name": "GLSA-202105-26", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202105-26"}]}, "source": {"defect": ["https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7793"], "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2020-1946", "datePublished": "2021-03-25T09:20:11", "dateReserved": "2019-12-02T00:00:00", "dateUpdated": "2021-05-26T11:08:51", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:spamassassin:*:*:*:*:*:*:*:*", "matchCriteriaId": "6B2EC96E-432A-4D9F-95C7-051CBE121C7D", "versionEndExcluding": "3.4.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Apache SpamAssassin before 3.4.5, malicious rule configuration (.cf) files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA version 3.4.5, users should only use update channels or 3rd party .cf files from trusted places."}, {"lang": "es", "value": "En Apache SpamAssassin anterior a versi\u00f3n 3.4.5, los archivos de configuraci\u00f3n de reglas maliciosas (.cf) se pueden configurar para ejecutar comandos del sistema sin ning\u00fan resultado ni errores. Con esto, las explotaciones se pueden inyectar en varios escenarios. Adem\u00e1s de actualizar a la versi\u00f3n 3.4.5 de SA, los usuarios solo deben usar canales de actualizaci\u00f3n o archivos .cf de terceros desde lugares de confianza"}], "id": "CVE-2020-1946", "lastModified": "2023-11-07T03:19:37.797", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-03-25T10:15:11.727", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00000.html"}, {"source": "security@apache.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7V2SBVTKVLFFT36ECJQ7TQ7KAQCQZDRZ/"}, {"source": "security@apache.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JFBFRIG5TX23NF4ND6OAKKY7I6TLRCCP/"}, {"source": "security@apache.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NKAXYBKBMQOLIW6UKASJCAZRBOIYS4RL/"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://s.apache.org/3r1wh"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202105-26"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-4879"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-78"}], "source": "security@apache.org", "type": "Secondary"}]}