#VU16311 Code injection in SpamAssassin - CVE-2018-11781
Published: December 6, 2018
Vulnerability identifier: #VU16311
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/U:Clear
CVE-ID: CVE-2018-11781
CWE-ID: CWE-94
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
SpamAssassin
SpamAssassin
Software vendor:
Apache Foundation
Apache Foundation
Description
The vulnerability allows a local attacker to execute arbitrary code on the target system.
The vulnerability exists due to a code injection condition in the meta rule syntax that exists when rules are processed by the affected software. A local attacker can supply specially crafted data and execute arbitrary code with elevated privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Update to version 3.4.2.