Alpine: multiple spamassassin packages, perl-mail-spamassassin: security update to 3.4.4-r0

high Tenable Self-Hosted Container Security Plugin ID 424506

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- A command execution issue was found in Apache SpamAssassin prior to 3.4.3. Carefully crafted nefarious
rule configuration (.cf) files can be configured to run system commands similar to CVE-2018-11805. With
this bug unpatched, exploits can be injected in a number of scenarios including the same privileges as
spamd is run which may be elevated though doing so remotely is difficult. In addition to upgrading to SA
3.4.4, we again recommend that users should only use update channels or 3rd party .cf files from trusted
places. If you cannot upgrade, do not use 3rd party rulesets, do not use sa-compile and do not run spamd
as an account with elevated privileges. (CVE-2020-1930)

- A command execution issue was found in Apache SpamAssassin prior to 3.4.3. Carefully crafted nefarious
Configuration (.cf) files can be configured to run system commands similar to CVE-2018-11805. This issue
is less stealthy and attempts to exploit the issue will throw warnings. Thanks to Damian Lukowski at
credativ for reporting the issue ethically. With this bug unpatched, exploits can be injected in a number
of scenarios though doing so remotely is difficult. In addition to upgrading to SA 3.4.4, we again
recommend that users should only use update channels or 3rd party .cf files from trusted places.
(CVE-2020-1931)

See Also

https://security.alpinelinux.org/vuln/CVE-2020-1930

https://security.alpinelinux.org/vuln/CVE-2020-1931

Plugin Details

Severity: High

ID: 424506

Version: Revision 1.10

Type: Local

Published: 4/4/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.27

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 6.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2020-1931

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 1/30/2020

Reference Information

CVE: CVE-2020-1930, CVE-2020-1931

IAVA: 2020-A-0056-S