Apache Spamassassin
By the Year
In 2024 there have been 0 vulnerabilities in Apache Spamassassin . Spamassassin did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2024 | 0 | 0.00 |
| 2023 | 0 | 0.00 |
| 2022 | 0 | 0.00 |
| 2021 | 1 | 9.80 |
| 2020 | 2 | 8.10 |
| 2019 | 2 | 7.10 |
| 2018 | 2 | 8.80 |
It may take a day or so for new Spamassassin vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Apache Spamassassin Security Vulnerabilities
In Apache SpamAssassin before 3.4.5, malicious rule configuration (.cf) files
CVE-2020-1946
9.8 - Critical
- March 25, 2021
In Apache SpamAssassin before 3.4.5, malicious rule configuration (.cf) files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA version 3.4.5, users should only use update channels or 3rd party .cf files from trusted places.
Shell injection
A command execution issue was found in Apache SpamAssassin prior to 3.4.3
CVE-2020-1930
8.1 - High
- January 30, 2020
A command execution issue was found in Apache SpamAssassin prior to 3.4.3. Carefully crafted nefarious rule configuration (.cf) files can be configured to run system commands similar to CVE-2018-11805. With this bug unpatched, exploits can be injected in a number of scenarios including the same privileges as spamd is run which may be elevated though doing so remotely is difficult. In addition to upgrading to SA 3.4.4, we again recommend that users should only use update channels or 3rd party .cf files from trusted places. If you cannot upgrade, do not use 3rd party rulesets, do not use sa-compile and do not run spamd as an account with elevated privileges.
Shell injection
A command execution issue was found in Apache SpamAssassin prior to 3.4.3
CVE-2020-1931
8.1 - High
- January 30, 2020
A command execution issue was found in Apache SpamAssassin prior to 3.4.3. Carefully crafted nefarious Configuration (.cf) files can be configured to run system commands similar to CVE-2018-11805. This issue is less stealthy and attempts to exploit the issue will throw warnings. Thanks to Damian Lukowski at credativ for reporting the issue ethically. With this bug unpatched, exploits can be injected in a number of scenarios though doing so remotely is difficult. In addition to upgrading to SA 3.4.4, we again recommend that users should only use update channels or 3rd party .cf files from trusted places.
Shell injection
In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors
CVE-2018-11805
6.7 - Medium
- December 12, 2019
In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf files from trusted places.
Shell injection
In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources
CVE-2019-12420
7.5 - High
- December 12, 2019
In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly.
Resource Exhaustion
A potential Remote Code Execution bug exists with the PDFInfo plugin in Apache SpamAssassin before 3.4.2.
CVE-2018-11780
9.8 - Critical
- September 17, 2018
A potential Remote Code Execution bug exists with the PDFInfo plugin in Apache SpamAssassin before 3.4.2.
Code Injection
Apache SpamAssassin 3.4.2 fixes a local user code injection in the meta rule syntax.
CVE-2018-11781
7.8 - High
- September 17, 2018
Apache SpamAssassin 3.4.2 fixes a local user code injection in the meta rule syntax.
Code Injection
(1) cpan/Archive-Tar/bin/ptar
CVE-2016-1238
7.8 - High
- August 02, 2016
(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.
Permissions, Privileges, and Access Controls
Apache SpamAssassin 3.0.1, 3.0.2, and 3.0.3
CVE-2005-1266
- June 15, 2005
Apache SpamAssassin 3.0.1, 3.0.2, and 3.0.3 allows remote attackers to cause a denial of service (CPU consumption and slowdown) via a message with a long Content-Type header without any boundaries.
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Apache Spamassassin or by Apache? Click the Watch button to subscribe.
