Vulnerability Details : CVE-2017-15705
A denial of service vulnerability was identified that exists in Apache SpamAssassin before 3.4.2. The vulnerability arises with certain unclosed tags in emails that cause markup to be handled incorrectly leading to scan timeouts. In Apache SpamAssassin, using HTML::Parser, we setup an object and hook into the begin and end tag event handlers In both cases, the "open" event is immediately followed by a "close" event - even if the tag *does not* close in the HTML being parsed. Because of this, we are missing the "text" event to deal with the object normally. This can cause carefully crafted emails that might take more scan time than expected leading to a Denial of Service. The issue is possibly a bug or design decision in HTML::Parser that specifically impacts the way Apache SpamAssassin uses the module with poorly formed html. The exploit has been seen in the wild but not believed to have been purposefully part of a Denial of Service attempt. We are concerned that there may be attempts to abuse the vulnerability in the future.
Vulnerability category: Input validationDenial of service
Exploit prediction scoring system (EPSS) score for CVE-2017-15705
Probability of exploitation activity in the next 30 days: 0.85%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 82 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2017-15705
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST |
|
5.3
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
3.9
|
1.4
|
NIST |
CWE ids for CVE-2017-15705
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-15705
-
http://www.securityfocus.com/bid/105347
Apache SpamAssassin CVE-2017-15705 Denial of Service VulnerabilityThird Party Advisory;VDB Entry
-
https://usn.ubuntu.com/3811-1/
USN-3811-1: SpamAssassin vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://lists.apache.org/thread.html/7f6a16bc0fd0fd5e67c7fd95bd655069a2ac7d1f88e42d3c853e601c@%3Cannounce.apache.org%3E
Pony Mail!Mailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00002.html
[security-announce] openSUSE-SU-2019:1831-1: moderate: Security update f
-
https://usn.ubuntu.com/3811-2/
USN-3811-2: SpamAssassin vulnerability | Ubuntu security noticesThird Party Advisory
-
https://security.gentoo.org/glsa/201812-07
SpamAssassin: Multiple vulnerabilities (GLSA 201812-07) — Gentoo security
-
https://lists.debian.org/debian-lts-announce/2018/11/msg00016.html
[SECURITY] [DLA 1578-1] spamassassin security updateThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:2916
RHSA-2018:2916 - Security Advisory - Red Hat Customer PortalThird Party Advisory
Products affected by CVE-2017-15705
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:7.5:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:spamassassin:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*