Unrated severityNVD Advisory· Published Mar 25, 2021· Updated Feb 13, 2025
Apache SpamAssassin has an OS Command Injection vulnerability
CVE-2020-1946
Description
In Apache SpamAssassin before 3.4.5, malicious rule configuration (.cf) files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA version 3.4.5, users should only use update channels or 3rd party .cf files from trusted places.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
33<3.4.5+ 1 more
- (no CPE)range: <3.4.5
- (no CPE)range: Apache SpamAssassin
- osv-coords31 versionspkg:rpm/almalinux/spamassassinpkg:rpm/opensuse/spamassassin&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/spamassassin&distro=openSUSE%20Tumbleweedpkg:rpm/suse/spamassassin&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/spamassassin&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/spamassassin&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/spamassassin&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/spamassassin&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/spamassassin&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/spamassassin&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP2pkg:rpm/suse/spamassassin&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP2pkg:rpm/suse/spamassassin&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/spamassassin&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/spamassassin&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/spamassassin&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/spamassassin&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/spamassassin&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/spamassassin&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/spamassassin&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/spamassassin&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/spamassassin&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/spamassassin&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/spamassassin&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/spamassassin&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/spamassassin&distro=SUSE%20Manager%20Proxy%204.0pkg:rpm/suse/spamassassin&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.0pkg:rpm/suse/spamassassin&distro=SUSE%20Manager%20Server%204.0pkg:rpm/suse/spamassassin&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/spamassassin&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/spamassassin&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/spamassassin&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 3.4.4-4.el8+ 30 more
- (no CPE)range: < 3.4.4-4.el8
- (no CPE)range: < 3.4.5-lp152.10.3.1
- (no CPE)range: < 3.4.6-71.3
- (no CPE)range: < 3.4.5-44.13.1
- (no CPE)range: < 3.4.5-12.10.1
- (no CPE)range: < 3.4.5-12.10.1
- (no CPE)range: < 3.4.5-12.10.1
- (no CPE)range: < 3.4.5-7.14.1
- (no CPE)range: < 3.4.5-7.14.1
- (no CPE)range: < 3.4.5-12.10.1
- (no CPE)range: < 3.4.5-12.10.1
- (no CPE)range: < 3.4.5-44.13.1
- (no CPE)range: < 3.4.5-44.13.1
- (no CPE)range: < 3.4.5-44.13.1
- (no CPE)range: < 3.4.5-44.13.1
- (no CPE)range: < 3.4.5-44.13.1
- (no CPE)range: < 3.4.5-12.10.1
- (no CPE)range: < 3.4.5-12.10.1
- (no CPE)range: < 3.4.5-7.14.1
- (no CPE)range: < 3.4.5-44.13.1
- (no CPE)range: < 3.4.5-44.13.1
- (no CPE)range: < 3.4.5-44.13.1
- (no CPE)range: < 3.4.5-7.14.1
- (no CPE)range: < 3.4.5-12.10.1
- (no CPE)range: < 3.4.5-12.10.1
- (no CPE)range: < 3.4.5-12.10.1
- (no CPE)range: < 3.4.5-12.10.1
- (no CPE)range: < 3.4.5-44.13.1
- (no CPE)range: < 3.4.5-44.13.1
- (no CPE)range: < 3.4.5-44.13.1
- (no CPE)range: < 3.4.5-44.13.1
Patches
Vulnerability mechanics
References
7- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7V2SBVTKVLFFT36ECJQ7TQ7KAQCQZDRZ/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JFBFRIG5TX23NF4ND6OAKKY7I6TLRCCP/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NKAXYBKBMQOLIW6UKASJCAZRBOIYS4RL/mitrevendor-advisoryx_refsource_FEDORA
- security.gentoo.org/glsa/202105-26mitrevendor-advisoryx_refsource_GENTOO
- www.debian.org/security/2021/dsa-4879mitrevendor-advisoryx_refsource_DEBIAN
- lists.debian.org/debian-lts-announce/2021/04/msg00000.htmlmitremailing-listx_refsource_MLIST
- s.apache.org/3r1whmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.