{
  "threat_severity" : "Moderate",
  "public_date" : "2019-12-12T00:00:00Z",
  "bugzilla" : {
    "description" : "spamassassin: crafted configuration files can run system commands without any output or errors",
    "id" : "1784974",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1784974"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.7",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-78",
  "details" : [ "In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf files from trusted places." ],
  "statement" : "The attack is triggered by malicious specially crafted .cf files which are basically configuration files for spamassasin. These files can be located at:\n1. /usr/share/spamassassin\n2. /etc/mail/spamassassin\n3. user's home directory, in a directory called .spamassassin\nAll of these locations can only be accessed by either the system administrator or by a user having a local shell account on the machine. In order to successfully exploit this flaw, the attacker needs to convince the user to place the malicious configuration files in one of the above locations.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2020-11-04T00:00:00Z",
    "advisory" : "RHSA-2020:4625",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "spamassassin-0:3.4.2-10.el8"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Out of support scope",
    "package_name" : "spamassassin",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "spamassassin",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Will not fix",
    "package_name" : "spamassassin",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2018-11805\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-11805" ],
  "name" : "CVE-2018-11805",
  "mitigation" : {
    "value" : "The attack is triggered by malicious specially crafted .cf files which are configuration files for spamassasin. Do not use untrusted configuration files for spamassisin",
    "lang" : "en:us"
  },
  "csaw" : false
}