Back to search
CVE-2020-1946
Published: Mar 25, 2021
Modified: Feb 13, 2025
PUBLISHED
Description
In Apache SpamAssassin before 3.4.5, malicious rule configuration (.cf) files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA version 3.4.5, users should only use update channels or 3rd party .cf files from trusted places.
| Vendor | Product | Versions |
|---|---|---|
Apache Software Foundation | Apache SpamAssassin | affected Apache SpamAssassin - < 3.4.5 |
Weaknesses (CWE)
References
https://s.apache.org/3r1wh
x_refsource_MISC
DSA-4879
vendor-advisory
x_refsource_DEBIAN
FEDORA-2021-bf06dcffa8
vendor-advisory
x_refsource_FEDORA
[debian-lts-announce] 20210401 [SECURITY] [DLA 2615-1] spamassassin security update
mailing-list
x_refsource_MLIST
FEDORA-2021-90e915cc4f
vendor-advisory
x_refsource_FEDORA
FEDORA-2021-5a4377797c
vendor-advisory
x_refsource_FEDORA
GLSA-202105-26
vendor-advisory
x_refsource_GENTOO
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now