CVE-2018-11805

MEDIUM

Apache SpamAssassin <3.4.3 - Code Injection

Title source: llm
STIX 2.1

Description

In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf files from trusted places.

References (29)

Core 29
Core References
Vendor Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4237-1/
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2019/12/12/1
Mailing List, Third Party Advisory x_refsource_misc
https://seclists.org/oss-sec/2019/q4/154
Permissions Required x_refsource_confirm
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7647
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2019/dsa-4584
Mailing List, Third Party Advisory mailing-list x_refsource_bugtraq
https://seclists.org/bugtraq/2019/Dec/27
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/12/msg00019.html
Vendor Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4237-2/
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2020/01/30/2
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2020/01/30/3

Scores

CVSS v3 6.7
EPSS 0.0003
EPSS Percentile 8.9%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-78
Status published
Products (4)
apache/spamassassin < 3.4.3
debian/debian_linux 8.0
debian/debian_linux 9.0
debian/debian_linux 10.0
Published Dec 12, 2019
Tracked Since Feb 18, 2026