5.1 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
0.947 High
EPSS
Percentile
99.3%
SpamAssassin is an extensible email filter used to identify junk email. spamd is the daemonized version of SpamAssassin.
When spamd is run with both the “–vpopmail” (-v) and “–paranoid” (-P) options, it is vulnerable to an unspecified issue.
With certain configuration options, a local or even remote attacker could execute arbitrary code with the rights of the user running spamd, which is root by default, by sending a crafted message to the spamd daemon. Furthermore, the attack can be remotely performed if the “–allowed-ips” (-A) option is present and specifies non-local adresses. Note that Gentoo Linux is not vulnerable in the default configuration.
Don’t use both the “–paranoid” (-P) and the “–vpopmail” (-v) options.
All SpamAssassin users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=mail-filter/spamassassin-3.1.3"
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Gentoo | any | all | mail-filter/spamassassin | < 3.1.3 | UNKNOWN |