CVE-2024-20328
MEDIUMClamAV 1.0.0-1.0.5 - OS Command Injection via VirusEvent File Name Handling
Title source: llmDescription
A vulnerability in the VirusEvent feature of ClamAV could allow a local attacker to inject arbitrary commands with the privileges of the application service account.The vulnerability is due to unsafe handling of file names. A local attacker could exploit this vulnerability by supplying a file name containing command-line sequences. When processed on a system using configuration options for the VirusEvent feature, the attacker could cause the application to execute arbitrary commands. ClamAV has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
References (2)
Core 2
Core References
Release Notes, Vendor Advisory
https://blog.clamav.net/2023/11/clamav-130-122-105-released.html
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/5FXZYVDNV66RNMNVJOHAJAYRZV4U64CQ/
Scores
CVSS v3
5.3
EPSS
0.8484
EPSS Percentile
99.7%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (1)
clamav/clamav
1.0.0 - 1.0.5
Published
Mar 01, 2024
Tracked Since
Feb 18, 2026