CVE-2019-12420 — HIGH (7.5)

Q: How severe is CVE-2019-12420?

CVE-2019-12420 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-12420?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Spamassassin, Debian Debian Linux.

Vulnerability Description

In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Apache	Spamassassin	< 3.4.3
Debian	Debian Linux	8.0

Related Weaknesses (CWE)

CWE-400

References

http://www.openwall.com/lists/oss-security/2019/12/12/2Mailing ListThird Party Advisory
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7747Permissions Required
https://lists.apache.org/thread.html/5863d6c42fc9595a29566732f12348cde0ca0e41bda
https://lists.apache.org/thread.html/5ef362d6da12126fafc81443309ca95d872d1bfd011
https://lists.apache.org/thread.html/64cf76749956dd08f7d5b86ec9f3321f382cfd7fe71
https://lists.apache.org/thread.html/e3c2367351286b77a74a082e2b66b793cceefa7b6ea
https://lists.apache.org/thread.html/r2578c486552637bfedbe624940cc60d6463bd90044
https://lists.apache.org/thread.html/r3d32ebf97b1245b8237763444e911c4595d2ad5e34
https://lists.debian.org/debian-lts-announce/2019/12/msg00019.htmlMailing ListThird Party Advisory
https://seclists.org/bugtraq/2019/Dec/27Mailing ListThird Party Advisory
https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3Mailing ListVendor Advisory
https://usn.ubuntu.com/4237-1/
https://usn.ubuntu.com/4237-2/
https://www.debian.org/security/2019/dsa-4584Third Party Advisory
http://www.openwall.com/lists/oss-security/2019/12/12/2Mailing ListThird Party Advisory

FAQ

What is CVE-2019-12420?

CVE-2019-12420 is a vulnerability with a CVSS score of 7.5 (HIGH). In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publi...

How severe is CVE-2019-12420?

CVE-2019-12420 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-12420?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Spamassassin, Debian Debian Linux.