Improper input validation in spamassassin (Alpine package)

1) Improper input validation

EUVDB-ID: #VU16549

Risk: Low

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-15705

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists in Apache SpamAssassin, using HTML::Parser due to an the "open" event is immediately followed by a "close" event - even if the tag *does not* close in the HTML being parsed when an object and hook are setup into the begin and end tag event handlers. A remote attacker can supply certain unclosed tags in specially crafted emails that cause markup to be handled incorrectly leading to scan timeouts.

Mitigation

Install update from vendor's website.

Vulnerable software versions

spamassassin (Alpine package): 3.4.1-r8

CPE2.3

• cpe:2.3:a:alpine:spamassassin_alpine_package:3.4.1-r8:*:*:*:*:alpine_linux:*:3.7

External links

https://git.alpinelinux.org/aports/commit/?id=414d938b62bf425063a54567a1736a0d2fb76c8f
https://git.alpinelinux.org/aports/commit/?id=920c66f72c3e2cc23d7aed42e9ffa0d3a355494d
https://git.alpinelinux.org/aports/commit/?id=baee0facb0bff1fa120bd6c9b7b0454af79a3f04
https://git.alpinelinux.org/aports/commit/?id=d41a153ca51fae77177652bcf56edc463802bab3
https://git.alpinelinux.org/aports/commit/?id=4038e91416abe5bb2a7a09fe108146f5d55bbdaa

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.