cnvd - cnvd-2021-25268

cnvd-2021-25268

Vulnerability from cnvd

Title: Apache SpamAssassin注入漏洞

Description:

Apache SpamAssassin是美国阿帕奇（Apache）基金会的一款开源的垃圾邮件过滤器。该产品为系统管理员提供了一个过滤器，并支持对电子邮件进行分类阻止垃圾邮件。

Apache SpamAssassin 3.4.5之前版本存在注入漏洞，该漏洞允许配置恶意规则配置(.cf)文件来运行系统命令，而未有任何输出或错误。目前没有详细漏洞细节提供。

Severity: 高

Patch Name: Apache SpamAssassin注入漏洞的补丁

Patch Description:

Apache SpamAssassin 3.4.5之前版本存在注入漏洞，该漏洞允许配置恶意规则配置(.cf)文件来运行系统命令，而未有任何输出或错误。目前没有详细漏洞细节提供。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://ubuntu.com/security/CVE-2020-1946

Reference: https://s.apache.org/3r1wh

Impacted products

Name
Apache SpamAssassin <3.4.5

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-1946"
    }
  },
  "description": "Apache SpamAssassin\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u5f00\u6e90\u7684\u5783\u573e\u90ae\u4ef6\u8fc7\u6ee4\u5668\u3002\u8be5\u4ea7\u54c1\u4e3a\u7cfb\u7edf\u7ba1\u7406\u5458\u63d0\u4f9b\u4e86\u4e00\u4e2a\u8fc7\u6ee4\u5668\uff0c\u5e76\u652f\u6301\u5bf9\u7535\u5b50\u90ae\u4ef6\u8fdb\u884c\u5206\u7c7b\u963b\u6b62\u5783\u573e\u90ae\u4ef6\u3002\n\nApache SpamAssassin 3.4.5\u4e4b\u524d\u7248\u672c\u5b58\u5728\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u5141\u8bb8\u914d\u7f6e\u6076\u610f\u89c4\u5219\u914d\u7f6e(.cf)\u6587\u4ef6\u6765\u8fd0\u884c\u7cfb\u7edf\u547d\u4ee4\uff0c\u800c\u672a\u6709\u4efb\u4f55\u8f93\u51fa\u6216\u9519\u8bef\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://ubuntu.com/security/CVE-2020-1946",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-25268",
  "openTime": "2021-04-06",
  "patchDescription": "Apache SpamAssassin\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u5f00\u6e90\u7684\u5783\u573e\u90ae\u4ef6\u8fc7\u6ee4\u5668\u3002\u8be5\u4ea7\u54c1\u4e3a\u7cfb\u7edf\u7ba1\u7406\u5458\u63d0\u4f9b\u4e86\u4e00\u4e2a\u8fc7\u6ee4\u5668\uff0c\u5e76\u652f\u6301\u5bf9\u7535\u5b50\u90ae\u4ef6\u8fdb\u884c\u5206\u7c7b\u963b\u6b62\u5783\u573e\u90ae\u4ef6\u3002\r\n\r\nApache SpamAssassin 3.4.5\u4e4b\u524d\u7248\u672c\u5b58\u5728\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u5141\u8bb8\u914d\u7f6e\u6076\u610f\u89c4\u5219\u914d\u7f6e(.cf)\u6587\u4ef6\u6765\u8fd0\u884c\u7cfb\u7edf\u547d\u4ee4\uff0c\u800c\u672a\u6709\u4efb\u4f55\u8f93\u51fa\u6216\u9519\u8bef\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache SpamAssassin\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Apache SpamAssassin \u003c3.4.5"
  },
  "referenceLink": "https://s.apache.org/3r1wh",
  "serverity": "\u9ad8",
  "submitTime": "2021-03-29",
  "title": "Apache SpamAssassin\u6ce8\u5165\u6f0f\u6d1e"
}

CVE-2020-1946 (GCVE-0-2020-1946)

Vulnerability from cvelistv5

Published

2021-03-25 09:20

Modified

2025-02-13 16:27

Severity ?

CWE

CWE-78 - OS Command Injection

Summary

In Apache SpamAssassin before 3.4.5, malicious rule configuration (.cf) files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA version 3.4.5, users should only use update channels or 3rd party .cf files from trusted places.

References

▼	URL	Tags
	https://s.apache.org/3r1wh	x_refsource_MISC
	https://www.debian.org/security/2021/dsa-4879	vendor-advisory, x_refsource_DEBIAN
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7V2SBVTKVLFFT36ECJQ7TQ7KAQCQZDRZ/	vendor-advisory, x_refsource_FEDORA
	https://lists.debian.org/debian-lts-announce/2021/04/msg00000.html	mailing-list, x_refsource_MLIST
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JFBFRIG5TX23NF4ND6OAKKY7I6TLRCCP/	vendor-advisory, x_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NKAXYBKBMQOLIW6UKASJCAZRBOIYS4RL/	vendor-advisory, x_refsource_FEDORA
	https://security.gentoo.org/glsa/202105-26	vendor-advisory, x_refsource_GENTOO

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache SpamAssassin	Version: Apache SpamAssassin < 3.4.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T06:54:00.396Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://s.apache.org/3r1wh"
          },
          {
            "name": "DSA-4879",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2021/dsa-4879"
          },
          {
            "name": "FEDORA-2021-bf06dcffa8",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7V2SBVTKVLFFT36ECJQ7TQ7KAQCQZDRZ/"
          },
          {
            "name": "[debian-lts-announce] 20210401 [SECURITY] [DLA 2615-1] spamassassin security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00000.html"
          },
          {
            "name": "FEDORA-2021-90e915cc4f",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JFBFRIG5TX23NF4ND6OAKKY7I6TLRCCP/"
          },
          {
            "name": "FEDORA-2021-5a4377797c",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NKAXYBKBMQOLIW6UKASJCAZRBOIYS4RL/"
          },
          {
            "name": "GLSA-202105-26",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202105-26"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache SpamAssassin",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "3.4.5",
              "status": "affected",
              "version": "Apache SpamAssassin",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Apache SpamAssassin would like to thank Damian Lukowski at credativ for ethically reporting this issue."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Apache SpamAssassin before 3.4.5, malicious rule configuration (.cf) files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA version 3.4.5, users should only use update channels or 3rd party .cf files from trusted places."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78 OS Command Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-04T06:54:56.000Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://s.apache.org/3r1wh"
        },
        {
          "name": "DSA-4879",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2021/dsa-4879"
        },
        {
          "name": "FEDORA-2021-bf06dcffa8",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7V2SBVTKVLFFT36ECJQ7TQ7KAQCQZDRZ/"
        },
        {
          "name": "[debian-lts-announce] 20210401 [SECURITY] [DLA 2615-1] spamassassin security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00000.html"
        },
        {
          "name": "FEDORA-2021-90e915cc4f",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JFBFRIG5TX23NF4ND6OAKKY7I6TLRCCP/"
        },
        {
          "name": "FEDORA-2021-5a4377797c",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NKAXYBKBMQOLIW6UKASJCAZRBOIYS4RL/"
        },
        {
          "name": "GLSA-202105-26",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202105-26"
        }
      ],
      "source": {
        "defect": [
          "https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7793"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "Apache SpamAssassin has an OS Command Injection vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2020-1946",
          "STATE": "PUBLIC",
          "TITLE": "Apache SpamAssassin has an OS Command Injection vulnerability"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache SpamAssassin",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "Apache SpamAssassin",
                            "version_value": "3.4.5"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Apache SpamAssassin would like to thank Damian Lukowski at credativ for ethically reporting this issue."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Apache SpamAssassin before 3.4.5, malicious rule configuration (.cf) files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA version 3.4.5, users should only use update channels or 3rd party .cf files from trusted places."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-78 OS Command Injection"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://s.apache.org/3r1wh",
              "refsource": "MISC",
              "url": "https://s.apache.org/3r1wh"
            },
            {
              "name": "DSA-4879",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2021/dsa-4879"
            },
            {
              "name": "FEDORA-2021-bf06dcffa8",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7V2SBVTKVLFFT36ECJQ7TQ7KAQCQZDRZ/"
            },
            {
              "name": "[debian-lts-announce] 20210401 [SECURITY] [DLA 2615-1] spamassassin security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00000.html"
            },
            {
              "name": "FEDORA-2021-90e915cc4f",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JFBFRIG5TX23NF4ND6OAKKY7I6TLRCCP/"
            },
            {
              "name": "FEDORA-2021-5a4377797c",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NKAXYBKBMQOLIW6UKASJCAZRBOIYS4RL/"
            },
            {
              "name": "GLSA-202105-26",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202105-26"
            }
          ]
        },
        "source": {
          "defect": [
            "https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7793"
          ],
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2020-1946",
    "datePublished": "2021-03-25T09:20:11.000Z",
    "dateReserved": "2019-12-02T00:00:00.000Z",
    "dateUpdated": "2025-02-13T16:27:40.012Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted