CVE-2018-11805
spamassassin - security update
6.7
MEDIUM
CVSS 3.1
EPSS 0.07%
Description
In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf files from trusted places.
How to fix CVE-2018-11805
To remediate CVE-2018-11805, upgrade the affected package to a fixed version below.
- —upgrade to 3.4.3-r0 or later
- —upgrade to 3.4.3~rc6-1 or later
- —upgrade to 3.4.2-0+deb8u2 or later
- —upgrade to 3.4.2-1~deb9u2 or later
Is CVE-2018-11805 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0, < 3.4.3-r0
- from 0, < 3.4.3~rc6-1
- from 0, < 3.4.2-0+deb8u2
- from 0, < 3.4.2-1~deb9u2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.7 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |