Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
None
Privileges Required
High
Attack Vector
Local
0

CVE-2018-11805

Disclosure Date: May 17, 2018
CVE-2018-11805 CVSS v3 Base Score: 6.7
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf files from trusted places.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
6.7 Medium
Impact Score:
5.9
Exploitability Score:
0.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
High
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Apache SpamAssassin Apache SpamAssassin prior to 3.4.3
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • apache,
  • debian

Products

  • debian linux 10.0,
  • debian linux 8.0,
  • debian linux 9.0,
  • spamassassin

References

Canonical
CVE-2018-11805 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11805)
Advisory
[spamassassin-users] 20191212 [SECURITY] Apache SpamAssassin v3.4.3 released with fix for CVE-2018-11805 (https://lists.apache.org/thread.html/6f89f82a573ea616dce53ec67e52d963618a9f9ac71da5c1efdbd166@%3Cusers.spamassassin.apache.org%3E)
[spamassassin-dev] 20191212 [SECURITY] Apache SpamAssassin v3.4.3 released with fix for CVE-2018-11805 (https://lists.apache.org/thread.html/d015dc5b4f24fd6777a85d068502a9c5d58d69d877ed5b0eb9a22cd5@%3Cdev.spamassassin.apache.org%3E)
[spamassassin-announce] 20191212 [SECURITY] Apache SpamAssassin v3.4.3 released with fix for CVE-2018-11805 (https://lists.apache.org/thread.html/2946b38caec47f7f6a79e8e03d2aa723794186e59a7dc6b5e76dfc18@%3Cannounce.spamassassin.apache.org%3E)
[oss-security] 20191212 Apache SpamAssassin v3.4.3 released with fix for CVE-2018-11805 (http://www.openwall.com/lists/oss-security/2019/12/12/1)
[announce] 20191212 [SECURITY] Apache SpamAssassin v3.4.3 released with fix for CVE-2018-11805 (https://lists.apache.org/thread.html/bc58907171c6585e5875a3ce86066d4956c218911cb74e3156de4433@%3Cannounce.apache.org%3E)
https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.3.txt
https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7647
DSA-4584 (https://www.debian.org/security/2019/dsa-4584)
20191216 [SECURITY] [DSA 4584-1] spamassassin security update (https://seclists.org/bugtraq/2019/Dec/27)
[debian-lts-announce] 20191216 [SECURITY] [DLA 2037-1] spamassassin security update (https://lists.debian.org/debian-lts-announce/2019/12/msg00019.html)
[spamassassin-users] 20191218 CVE-2018-11805 fix and sa-exim (https://lists.apache.org/thread.html/c1f59b7e13b7f2c12f847f7d0dec2636df3cdbcaa6d8309007395ff4@%3Cusers.spamassassin.apache.org%3E)
[spamassassin-users] 20191218 Re: CVE-2018-11805 fix and sa-exim (https://lists.apache.org/thread.html/8534b60bae95ac3a8a4adb840f4ab26135f1c973ce197ff44439cbae@%3Cusers.spamassassin.apache.org%3E)
[spamassassin-users] 20191219 Re: CVE-2018-11805 fix and sa-exim (https://lists.apache.org/thread.html/0b5c73809d0690527341d940029f743807b70550050fd23ee869c5e5@%3Cusers.spamassassin.apache.org%3E)
USN-4237-1 (https://usn.ubuntu.com/4237-1)
USN-4237-2 (https://usn.ubuntu.com/4237-2)
[spamassassin-dev] 20200130 [CVE-2020-1931] Apache SpamAssassin Nefarious rule configuration (.cf) files can be configured to run system commands with warnings. (https://lists.apache.org/thread.html/rc4df9835fb2d7b5bb1202fca99a1de21a40acef055661d3a9e8ae781@%3Cdev.spamassassin.apache.org%3E)
[spamassassin-announce] 20200130 [CVE-2020-1931] Apache SpamAssassin Nefarious rule configuration (.cf) files can be configured to run system commands with warnings. (https://lists.apache.org/thread.html/r217177f7de36deab36dab88db4b6448961122571176dd4b2c133d08e@%3Cannounce.spamassassin.apache.org%3E)
[spamassassin-users] 20200130 [CVE-2020-1931] Apache SpamAssassin Nefarious rule configuration (.cf) files can be configured to run system commands with warnings. (https://lists.apache.org/thread.html/rc4df9835fb2d7b5bb1202fca99a1de21a40acef055661d3a9e8ae781@%3Cusers.spamassassin.apache.org%3E)
[spamassassin-users] 20200130 [CVE-2020-1930] Apache SpamAssassin Nefarious rule configuration (.cf) files can be configured to run system commands (https://lists.apache.org/thread.html/r6729f3d3be754a06c39bb4f11c925a3631e8ea2b4c865546d755cb0a@%3Cusers.spamassassin.apache.org%3E)
[spamassassin-announce] 20200130 [CVE-2020-1930] Apache SpamAssassin Nefarious rule configuration (.cf) files can be configured to run system commands (https://lists.apache.org/thread.html/r71f789fcd6339144e3d4db8f4128def12c341e638bd0107a0b82a05b@%3Cannounce.spamassassin.apache.org%3E)
[announce] 20200130 [CVE-2020-1931] Apache SpamAssassin Nefarious rule configuration (.cf) files can be configured to run system commands with warnings. (https://lists.apache.org/thread.html/rc4df9835fb2d7b5bb1202fca99a1de21a40acef055661d3a9e8ae781@%3Cannounce.apache.org%3E)
[spamassassin-dev] 20200130 [CVE-2020-1930] Apache SpamAssassin Nefarious rule configuration (.cf) files can be configured to run system commands (https://lists.apache.org/thread.html/r6729f3d3be754a06c39bb4f11c925a3631e8ea2b4c865546d755cb0a@%3Cdev.spamassassin.apache.org%3E)
[oss-security] 20200130 [CVE-2020-1930] Apache SpamAssassin Nefarious rule configuration (.cf) files can be configured to run system commands (http://www.openwall.com/lists/oss-security/2020/01/30/3)
[oss-security] 20200130 [CVE-2020-1931] Apache SpamAssassin Nefarious rule configuration (.cf) files can be configured to run system commands with warnings. (http://www.openwall.com/lists/oss-security/2020/01/30/2)
[spamassassin-users] 20200130 Re: ANNOUNCE: Apache SpamAssassin 3.4.4 available (https://lists.apache.org/thread.html/r2578c486552637bfedbe624940cc60d6463bd90044c887bdebb75e74@%3Cusers.spamassassin.apache.org%3E)
[announce] 20200130 [CVE-2020-1930] Apache SpamAssassin Nefarious rule configuration (.cf) files can be configured to run system commands (https://lists.apache.org/thread.html/r6729f3d3be754a06c39bb4f11c925a3631e8ea2b4c865546d755cb0a@%3Cannounce.apache.org%3E)
[spamassassin-users] 20200131 Re: ANNOUNCE: Apache SpamAssassin 3.4.4 available (https://lists.apache.org/thread.html/r3d32ebf97b1245b8237763444e911c4595d2ad5e34a1641840d8146f@%3Cusers.spamassassin.apache.org%3E)
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00003.html
Miscellaneous
https://seclists.org/oss-sec/2019/q4/154

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis