Main Vulnerability Database Vulnerabilities #VU16311

Code injection in SpamAssassin - CVE-2018-11781

Published: December 6, 2018

Vulnerability identifier: #VU16311

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/U:Clear

CVE-ID: CVE-2018-11781

CWE-ID: CWE-94

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Apache Foundation

Affected software:
SpamAssassin

Detailed vulnerability description

The vulnerability allows a local attacker to execute arbitrary code on the target system.

The vulnerability exists due to a code injection condition in the meta rule syntax that exists when rules are processed by the affected software. A local attacker can supply specially crafted data and execute arbitrary code with elevated privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

How to mitigate CVE-2018-11781

Update to version 3.4.2.

Sources

https://lists.apache.org/thread.html/7f6a16bc0fd0fd5e67c7fd95bd655069a2ac7d1f88e42d3c853e601c@%3Cannounce.apache.org%3E

Code injection in SpamAssassin - CVE-2018-11781

Detailed vulnerability description

How to mitigate CVE-2018-11781

Sources

Please verify you're human