远程 Redhat Enterprise Linux 8 主机上安装的程序包受到 RHSA-2021: 4315 公告中提及的一个漏洞的影响。

  - spamassassin：恶意规则配置文件可被配置为运行系统命令 (CVE-2020-1946)

请注意，Nessus 尚未测试此问题，而是只依靠应用程序自我报告的版本号来判断。

远程 Oracle Linux 8 主机上安装的程序包受到 ELSA-2021-4315 公告中提及的漏洞的影响。

  - 在 Apache SpamAssassin 3.4.5 之前的版本中，可以配置恶意规则配置 (.cf) 文件，在没有任何输出或错误的情况下运行系统命令。借此，可在多种场景中注入漏洞。除了升级至 SA 3.4.5，用户应仅使用来自受信任位置的更新渠道或第三方 .cf 文件。(CVE-2020-1946)

请注意，Nessus 尚未测试此问题，而是只依靠应用程序自我报告的版本号来判断。

远程主机上安装的 spamassassin 版本低于 3.4.4-3 版 。因此，该应用程序受到 ALAS2-2021-1642 公告中提及的漏洞的影响。

  - 在 Apache SpamAssassin 3.4.5 之前的版本中，可以配置恶意规则配置 (.cf) 文件，在没有任何输出或错误的情况下运行系统命令。借此，可在多种场景中注入漏洞。除了升级至 SA 3.4.5，用户应仅使用来自受信任位置的更新渠道或第三方 .cf 文件。(CVE-2020-1946)

请注意，Nessus 尚未测试此问题，而是只依赖于应用程序自我报告的版本号。

远程主机受到 GLSA-202105-26 中所述漏洞的影响（SpamAssassin：任意命令执行）

    发现 SpamAssassin 未能正确处理某些 CF 文件。
  影响：

    远程攻击者可引诱用户或自动化系统处理使用 SpamAssassin 特别构建的 CF 文件，从而可能导致以当前程序的相关权限执行任意代码或造成拒绝服务情形。
  变通方案：

    目前无任何已知的变通方案。

Linux/Unix 主机中安装的一个或多个程序包受到一个漏洞影响，而供应商没有提供补丁程序。

  - 在 Apache SpamAssassin 3.4.5 之前的版本中，可以配置恶意规则配置 (.cf) 文件，在没有任何输出或错误的情况下运行系统命令。借此，可在多种场景中注入漏洞。除了升级至 SA 3.4.5，用户应仅使用来自受信任位置的更新渠道或第三方 .cf 文件。(CVE-2020-1946)

请注意，Nessus 依赖供应商报告的程序包是否存在进行判断。

This update for spamassassin fixes the following issues :

CVE-2019-12420: memory leak via crafted messages (bsc#1159133)

CVE-2020-1946: security update (bsc#1184221)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The Apache SpamAssassin project reports :

Apache SpamAssassin 3.4.5 was recently released [1], and fixes an issue of security note where malicious rule configuration (.cf) files can be configured to run system commands.

In Apache SpamAssassin before 3.4.5, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.5, users should only use update channels or 3rd party .cf files from trusted places.

Damian Lukowski discovered a flaw in spamassassin, a Perl-based spam filter using text analysis. Malicious rule configuration files, possibly downloaded from an updates server, could execute arbitrary commands under multiple scenarios.

The remote AlmaLinux 8 host has a package installed that is affected by a vulnerability as referenced in the ALSA-2021:4315 advisory.

  - In Apache SpamAssassin before 3.4.5, malicious rule configuration (.cf) files can be configured to run     system commands without any output or errors. With this, exploits can be injected in a number of     scenarios. In addition to upgrading to SA version 3.4.5, users should only use update channels or 3rd     party .cf files from trusted places. (CVE-2020-1946)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

This update for spamassassin fixes the following issues :

  - CVE-2019-12420: memory leak via crafted messages     (bsc#1159133)

  - CVE-2020-1946: security update (bsc#1184221)

This update was imported from the SUSE:SLE-15-SP1:Update update project.

The remote Fedora 32 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2021-5a4377797c advisory.

  - In Apache SpamAssassin before 3.4.5, malicious rule configuration (.cf) files can be configured to run     system commands without any output or errors. With this, exploits can be injected in a number of     scenarios. In addition to upgrading to SA version 3.4.5, users should only use update channels or 3rd     party .cf files from trusted places. (CVE-2020-1946)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
155079	RHEL 8：spamassassin (RHSA-2021: 4315)	Nessus	Red Hat Local Security Checks	11/11/2021	11/7/2024	critical
155391	Oracle Linux 8：spamassassin (ELSA-2021-4315)	Nessus	Oracle Linux Local Security Checks	11/17/2021	10/22/2024	critical
149861	Amazon Linux 2：spamassassin (ALAS-2021-1642)	Nessus	Amazon Linux Local Security Checks	5/24/2021	12/11/2024	critical
157029	GLSA-202105-26：SpamAssassin：任意命令执行	Nessus	Gentoo Local Security Checks	1/24/2022	12/21/2023	critical
223398	Linux Distros 未修补的漏洞: CVE-2020-1946	Nessus	Misc.	3/4/2025	3/4/2025	critical
148529	SUSE SLED15 / SLES15 Security Update : spamassassin (SUSE-SU-2021:1163-1)	Nessus	SuSE Local Security Checks	4/14/2021	4/16/2021	critical
148140	FreeBSD : spamassassin -- Malicious rule configuration (.cf) files can be configured to run system commands (ec04f3d0-8cd9-11eb-bb9f-206a8a720317)	Nessus	FreeBSD Local Security Checks	3/26/2021	4/1/2021	critical
148212	Debian DSA-4879-1 : spamassassin - security update	Nessus	Debian Local Security Checks	3/29/2021	4/2/2021	critical
157513	AlmaLinux 8 : spamassassin (ALSA-2021:4315)	Nessus	Alma Linux Local Security Checks	2/9/2022	2/14/2022	critical
148614	openSUSE Security Update : spamassassin (openSUSE-2021-551)	Nessus	SuSE Local Security Checks	4/15/2021	1/4/2024	critical
148776	Fedora 32 : spamassassin (2021-5a4377797c)	Nessus	Fedora Local Security Checks	4/19/2021	4/19/2021	critical

Detections

Analytics

Plugins Search

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical