Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

Unknown

Privileges Required

Unknown

Attack Vector

Unknown

CVE-2017-15705

Disclosure Date: September 17, 2018 •

CVE-2017-15705

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A denial of service vulnerability was identified that exists in Apache SpamAssassin before 3.4.2. The vulnerability arises with certain unclosed tags in emails that cause markup to be handled incorrectly leading to scan timeouts. In Apache SpamAssassin, using HTML::Parser, we setup an object and hook into the begin and end tag event handlers In both cases, the “open” event is immediately followed by a “close” event – even if the tag does not close in the HTML being parsed. Because of this, we are missing the “text” event to deal with the object normally. This can cause carefully crafted emails that might take more scan time than expected leading to a Denial of Service. The issue is possibly a bug or design decision in HTML::Parser that specifically impacts the way Apache SpamAssassin uses the module with poorly formed html. The exploit has been seen in the wild but not believed to have been purposefully part of a Denial of Service attempt. We are concerned that there may be attempts to abuse the vulnerability in the future.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

None

Impact Score:

Unknown

Exploitability Score:

Unknown

Vector:

Unknown

Attack Vector (AV):

Unknown

Attack Complexity (AC):

Unknown

Privileges Required (PR):

Unknown

User Interaction (UI):

Unknown

Scope (S):

Unknown

Confidentiality (C):

Unknown

Integrity (I):

Unknown

Availability (A):

Unknown

Vendors

apache,
canonical,
debian,
redhat

Products

debian linux 8.0,
enterprise linux desktop 7.0,
enterprise linux eus 7.5,
enterprise linux server 7.0,
enterprise linux workstation 7.0,
spamassassin,
ubuntu linux 12.04,
ubuntu linux 14.04,
ubuntu linux 16.04,
ubuntu linux 18.04

References

Canonical

CVE-2017-15705 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15705)

BID-105347 (http://www.securityfocus.com/bid/105347)

Advisory

USN-3811-2 (https://usn.ubuntu.com/3811-2)

USN-3811-1 (https://usn.ubuntu.com/3811-1)

GLSA-201812-07 (https://security.gentoo.org/glsa/201812-07)

[announce] 20180916 [SECURITY] Apache SpamAssassin 3.4.2 resolves CVE-2017-15705, CVE-2016-1238, CVE-2018-11780 & CVE-2018-11781 (https://lists.apache.org/thread.html/7f6a16bc0fd0fd5e67c7fd95bd655069a2ac7d1f88e42d3c853e601c@%3Cannounce.apache.org%3E)

https://access.redhat.com/errata/RHSA-2018:2916

[debian-lts-announce] 20181113 [SECURITY] [DLA 1578-1] spamassassin security update (https://lists.debian.org/debian-lts-announce/2018/11/msg00016.html)

http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00002.html

Rapid7

Unknown

CVE-2017-15705

Unknown

Unknown

Unknown

Unknown

Unknown

CVE-2017-15705

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Advisory

Additional Info

Technical Analysis

Unknown

CVE-2017-15705

Unknown

Unknown

Unknown

Unknown

Unknown

CVE-2017-15705

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Advisory

Additional Info

Technical Analysis

Quick Cookie Notification