Main Vulnerability Database Vulnerabilities #VU16311

#VU16311 Code injection in SpamAssassin - CVE-2018-11781

Published: December 6, 2018

Vulnerability identifier: #VU16311

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/U:Clear

CVE-ID: CVE-2018-11781

CWE-ID: CWE-94

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
SpamAssassin

Software vendor:
Apache Foundation

Description

The vulnerability allows a local attacker to execute arbitrary code on the target system.

The vulnerability exists due to a code injection condition in the meta rule syntax that exists when rules are processed by the affected software. A local attacker can supply specially crafted data and execute arbitrary code with elevated privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Update to version 3.4.2.

External links

https://lists.apache.org/thread.html/7f6a16bc0fd0fd5e67c7fd95bd655069a2ac7d1f88e42d3c853e601c@%3Cannounce.apache.org%3E

#VU16311 Code injection in SpamAssassin - CVE-2018-11781

Description

Remediation

External links

Please verify you're human