QwikSec

Security Database

CVE

CWE

Training

CVE-2018-11805

Published: Dec 12, 2019

Modified: Aug 5, 2024

PUBLISHED

Description

In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf files from trusted places.

Vendor	Product	Versions
Apache	Apache SpamAssassin	affected `Apache SpamAssassin prior to 3.4.3`

References

[spamassassin-users] 20191212 [SECURITY] Apache SpamAssassin v3.4.3 released with fix for CVE-2018-11805

mailing-list

x_refsource_MLIST

[spamassassin-dev] 20191212 [SECURITY] Apache SpamAssassin v3.4.3 released with fix for CVE-2018-11805

mailing-list

x_refsource_MLIST

[spamassassin-announce] 20191212 [SECURITY] Apache SpamAssassin v3.4.3 released with fix for CVE-2018-11805

mailing-list

x_refsource_MLIST

[oss-security] 20191212 Apache SpamAssassin v3.4.3 released with fix for CVE-2018-11805

mailing-list

x_refsource_MLIST

[announce] 20191212 [SECURITY] Apache SpamAssassin v3.4.3 released with fix for CVE-2018-11805

mailing-list

x_refsource_MLIST

https://seclists.org/oss-sec/2019/q4/154

x_refsource_MISC

https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.3.txt

x_refsource_CONFIRM

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7647

x_refsource_CONFIRM

vendor-advisory

x_refsource_DEBIAN

20191216 [SECURITY] [DSA 4584-1] spamassassin security update

mailing-list

x_refsource_BUGTRAQ

[debian-lts-announce] 20191216 [SECURITY] [DLA 2037-1] spamassassin security update

mailing-list

x_refsource_MLIST

[spamassassin-users] 20191218 CVE-2018-11805 fix and sa-exim

mailing-list

x_refsource_MLIST

[spamassassin-users] 20191218 Re: CVE-2018-11805 fix and sa-exim

mailing-list

x_refsource_MLIST

[spamassassin-users] 20191219 Re: CVE-2018-11805 fix and sa-exim

mailing-list

x_refsource_MLIST

vendor-advisory

x_refsource_UBUNTU

vendor-advisory

x_refsource_UBUNTU

[spamassassin-dev] 20200130 [CVE-2020-1931] Apache SpamAssassin Nefarious rule configuration (.cf) files can be configured to run system commands with warnings.

mailing-list

x_refsource_MLIST

[spamassassin-announce] 20200130 [CVE-2020-1931] Apache SpamAssassin Nefarious rule configuration (.cf) files can be configured to run system commands with warnings.

mailing-list

x_refsource_MLIST

[spamassassin-users] 20200130 [CVE-2020-1931] Apache SpamAssassin Nefarious rule configuration (.cf) files can be configured to run system commands with warnings.

mailing-list

x_refsource_MLIST

[spamassassin-users] 20200130 [CVE-2020-1930] Apache SpamAssassin Nefarious rule configuration (.cf) files can be configured to run system commands

mailing-list

x_refsource_MLIST

[spamassassin-announce] 20200130 [CVE-2020-1930] Apache SpamAssassin Nefarious rule configuration (.cf) files can be configured to run system commands

mailing-list

x_refsource_MLIST

[announce] 20200130 [CVE-2020-1931] Apache SpamAssassin Nefarious rule configuration (.cf) files can be configured to run system commands with warnings.

mailing-list

x_refsource_MLIST

[spamassassin-dev] 20200130 [CVE-2020-1930] Apache SpamAssassin Nefarious rule configuration (.cf) files can be configured to run system commands

mailing-list

x_refsource_MLIST

[oss-security] 20200130 [CVE-2020-1930] Apache SpamAssassin Nefarious rule configuration (.cf) files can be configured to run system commands

mailing-list

x_refsource_MLIST

[oss-security] 20200130 [CVE-2020-1931] Apache SpamAssassin Nefarious rule configuration (.cf) files can be configured to run system commands with warnings.

mailing-list

x_refsource_MLIST

[spamassassin-users] 20200130 Re: ANNOUNCE: Apache SpamAssassin 3.4.4 available

mailing-list

x_refsource_MLIST

[announce] 20200130 [CVE-2020-1930] Apache SpamAssassin Nefarious rule configuration (.cf) files can be configured to run system commands

mailing-list

x_refsource_MLIST

[spamassassin-users] 20200131 Re: ANNOUNCE: Apache SpamAssassin 3.4.4 available

mailing-list

x_refsource_MLIST

openSUSE-SU-2020:0446

vendor-advisory

x_refsource_SUSE

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.