Vulnerability Details : CVE-2018-11805
In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf files from trusted places.
Products affected by CVE-2018-11805
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:spamassassin:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-11805
0.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 40 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-11805
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.2
|
HIGH | AV:L/AC:L/Au:N/C:C/I:C/A:C |
3.9
|
10.0
|
NIST | |
6.7
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
0.8
|
5.9
|
NIST |
CWE ids for CVE-2018-11805
-
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-11805
-
https://lists.apache.org/thread.html/r6729f3d3be754a06c39bb4f11c925a3631e8ea2b4c865546d755cb0a@%3Cdev.spamassassin.apache.org%3E
[CVE-2020-1930] Apache SpamAssassin Nefarious rule configuration (.cf) files can be configured to run system commands - Pony Mail
-
https://lists.debian.org/debian-lts-announce/2019/12/msg00019.html
[SECURITY] [DLA 2037-1] spamassassin security updateMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/d015dc5b4f24fd6777a85d068502a9c5d58d69d877ed5b0eb9a22cd5@%3Cdev.spamassassin.apache.org%3E
[SECURITY] Apache SpamAssassin v3.4.3 released with fix for CVE-2018-11805 - Pony MailVendor Advisory
-
https://seclists.org/bugtraq/2019/Dec/27
Bugtraq: [SECURITY] [DSA 4584-1] spamassassin security updateMailing List;Third Party Advisory
-
https://seclists.org/oss-sec/2019/q4/154
oss-sec: Apache SpamAssassin v3.4.3 released with fix for CVE-2018-11805Mailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/r6729f3d3be754a06c39bb4f11c925a3631e8ea2b4c865546d755cb0a@%3Cannounce.apache.org%3E
[CVE-2020-1930] Apache SpamAssassin Nefarious rule configuration (.cf) files can be configured to run system commands - Pony Mail
-
https://lists.apache.org/thread.html/r3d32ebf97b1245b8237763444e911c4595d2ad5e34a1641840d8146f@%3Cusers.spamassassin.apache.org%3E
Pony Mail!
-
https://lists.apache.org/thread.html/0b5c73809d0690527341d940029f743807b70550050fd23ee869c5e5@%3Cusers.spamassassin.apache.org%3E
Re: CVE-2018-11805 fix and sa-exim - Pony MailMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/8534b60bae95ac3a8a4adb840f4ab26135f1c973ce197ff44439cbae@%3Cusers.spamassassin.apache.org%3E
Re: CVE-2018-11805 fix and sa-exim - Pony MailVendor Advisory
-
https://lists.apache.org/thread.html/r71f789fcd6339144e3d4db8f4128def12c341e638bd0107a0b82a05b@%3Cannounce.spamassassin.apache.org%3E
[CVE-2020-1930] Apache SpamAssassin Nefarious rule configuration (.cf) files can be configured to run system commands - Pony Mail
-
https://lists.apache.org/thread.html/rc4df9835fb2d7b5bb1202fca99a1de21a40acef055661d3a9e8ae781@%3Cusers.spamassassin.apache.org%3E
[CVE-2020-1931] Apache SpamAssassin Nefarious rule configuration (.cf) files can be configured to run system commands with warnings. - Pony Mail
-
https://lists.apache.org/thread.html/bc58907171c6585e5875a3ce86066d4956c218911cb74e3156de4433@%3Cannounce.apache.org%3E
[SECURITY] Apache SpamAssassin v3.4.3 released with fix for CVE-2018-11805 - Pony MailMailing List;Vendor Advisory
-
http://www.openwall.com/lists/oss-security/2020/01/30/2
oss-security - [CVE-2020-1931] Apache SpamAssassin Nefarious rule configuration (.cf) files can be configured to run system commands with warnings.
-
https://lists.apache.org/thread.html/c1f59b7e13b7f2c12f847f7d0dec2636df3cdbcaa6d8309007395ff4@%3Cusers.spamassassin.apache.org%3E
CVE-2018-11805 fix and sa-exim - Pony MailVendor Advisory
-
https://lists.apache.org/thread.html/rc4df9835fb2d7b5bb1202fca99a1de21a40acef055661d3a9e8ae781@%3Cannounce.apache.org%3E
Pony Mail!
-
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00003.html
-
https://usn.ubuntu.com/4237-2/
USN-4237-2: SpamAssassin vulnerabilities | Ubuntu security notices
-
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7647
Bug Access DeniedPermissions Required
-
https://lists.apache.org/thread.html/6f89f82a573ea616dce53ec67e52d963618a9f9ac71da5c1efdbd166@%3Cusers.spamassassin.apache.org%3E
[SECURITY] Apache SpamAssassin v3.4.3 released with fix for CVE-2018-11805 - Pony MailMailing List;Vendor Advisory
-
https://usn.ubuntu.com/4237-1/
USN-4237-1: SpamAssassin vulnerabilities | Ubuntu security notices
-
https://lists.apache.org/thread.html/2946b38caec47f7f6a79e8e03d2aa723794186e59a7dc6b5e76dfc18@%3Cannounce.spamassassin.apache.org%3E
[SECURITY] Apache SpamAssassin v3.4.3 released with fix for CVE-2018-11805 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r2578c486552637bfedbe624940cc60d6463bd90044c887bdebb75e74@%3Cusers.spamassassin.apache.org%3E
Re: ANNOUNCE: Apache SpamAssassin 3.4.4 available - Pony Mail
-
https://www.debian.org/security/2019/dsa-4584
Debian -- Security Information -- DSA-4584-1 spamassassinThird Party Advisory
-
https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.3.txt
Mailing List;Vendor Advisory
-
http://www.openwall.com/lists/oss-security/2019/12/12/1
oss-security - Apache SpamAssassin v3.4.3 released with fix for CVE-2018-11805Mailing List;Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2020/01/30/3
oss-security - [CVE-2020-1930] Apache SpamAssassin Nefarious rule configuration (.cf) files can be configured to run system commands
-
https://lists.apache.org/thread.html/rc4df9835fb2d7b5bb1202fca99a1de21a40acef055661d3a9e8ae781@%3Cdev.spamassassin.apache.org%3E
Pony Mail!
-
https://lists.apache.org/thread.html/r6729f3d3be754a06c39bb4f11c925a3631e8ea2b4c865546d755cb0a@%3Cusers.spamassassin.apache.org%3E
[CVE-2020-1930] Apache SpamAssassin Nefarious rule configuration (.cf) files can be configured to run system commands - Pony Mail
-
https://lists.apache.org/thread.html/r217177f7de36deab36dab88db4b6448961122571176dd4b2c133d08e@%3Cannounce.spamassassin.apache.org%3E
[CVE-2020-1931] Apache SpamAssassin Nefarious rule configuration (.cf) files can be configured to run system commands with warnings. - Pony Mail
Jump to