CVE-2020-1946 — CRITICAL (9.8)

Q: How severe is CVE-2020-1946?

CVE-2020-1946 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2020-1946?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Spamassassin, Debian Debian Linux, Fedoraproject Fedora.

Vulnerability Description

In Apache SpamAssassin before 3.4.5, malicious rule configuration (.cf) files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA version 3.4.5, users should only use update channels or 3rd party .cf files from trusted places.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Apache	Spamassassin	< 3.4.5
Debian	Debian Linux	9.0
Fedoraproject	Fedora	32

Related Weaknesses (CWE)

CWE-78

References

https://lists.debian.org/debian-lts-announce/2021/04/msg00000.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://s.apache.org/3r1whMailing ListVendor Advisory
https://security.gentoo.org/glsa/202105-26Third Party Advisory
https://www.debian.org/security/2021/dsa-4879Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/04/msg00000.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://s.apache.org/3r1whMailing ListVendor Advisory
https://security.gentoo.org/glsa/202105-26Third Party Advisory
https://www.debian.org/security/2021/dsa-4879Third Party Advisory

FAQ

What is CVE-2020-1946?

CVE-2020-1946 is a vulnerability with a CVSS score of 9.8 (CRITICAL). In Apache SpamAssassin before 3.4.5, malicious rule configuration (.cf) files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of ...

How severe is CVE-2020-1946?

CVE-2020-1946 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2020-1946?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Spamassassin, Debian Debian Linux, Fedoraproject Fedora.