5.1 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
0.947 High
EPSS
Percentile
99.3%
Added: 06/09/2006
CVE: CVE-2006-2447
BID: 18290
OSVDB: 26177
SpamAssassin identifies spam e-mail using a variety of local and network based tests. **spamd**
is a component of SpamAssassin which allows it to run as a network daemon.
When the vpopmail (-v) and paranoid (-P) options are used with **spamd**
, the user name specified by the client is included in a shell command without sufficient checking for invalid characters. This allows arbitrary command execution by remote attackers.
Upgrade to SpamAssassin 3.1.3 or higher.
<http://www.securityfocus.com/archive/1/436288>
This exploit will only succeed when run from an address which is explicitly allowed by **spamd**
.