OS Command Injection in SpamAssassin - CVE-2018-11805
Published: December 13, 2019
Vulnerability identifier: #VU23601
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-11805
CWE-ID: CWE-78
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Apache Foundation
Affected software:
SpamAssassin
SpamAssassin
Detailed vulnerability description
The vulnerability allows a local user to execute arbitrary shell commands on the target system.
The vulnerability exists due to nefarious CF files can be configured to run system commands without any output. A local user can inject arbitrary commands into nefarious CF files and compromise the system or execute arbitrary code with elevated privileges.
How to mitigate CVE-2018-11805
Install updates from vendor's website.
Sources
- http://www.openwall.com/lists/oss-security/2019/12/12/1
- https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7647
- https://lists.apache.org/thread.html/2946b38caec47f7f6a79e8e03d2aa723794186e59a7dc6b5e76dfc18@%3Cannounce.spamassassin.apache.org%3E
- https://lists.apache.org/thread.html/6f89f82a573ea616dce53ec67e52d963618a9f9ac71da5c1efdbd166@%3Cusers.spamassassin.apache.org%3E
- https://lists.apache.org/thread.html/bc58907171c6585e5875a3ce86066d4956c218911cb74e3156de4433@%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/d015dc5b4f24fd6777a85d068502a9c5d58d69d877ed5b0eb9a22cd5@%3Cdev.spamassassin.apache.org%3E
- https://seclists.org/oss-sec/2019/q4/154
- https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.3.txt