SB2019121629 - OS Command Injection in spamassassin (Alpine package)
Published: December 16, 2019
Security Bulletin ID
SB2019121629
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) OS Command Injection (CVE-ID: CVE-2018-11805)
The vulnerability allows a local user to execute arbitrary shell commands on the target system.
The vulnerability exists due to nefarious CF files can be configured to run system commands without any output. A local user can inject arbitrary commands into nefarious CF files and compromise the system or execute arbitrary code with elevated privileges.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=3fe10202b17cab6dd2b9eefd7e8e092864a008ab
- https://git.alpinelinux.org/aports/commit/?id=414d938b62bf425063a54567a1736a0d2fb76c8f
- https://git.alpinelinux.org/aports/commit/?id=4f41af115f2fe395e2de01e5ee07a53dbbfa38a1
- https://git.alpinelinux.org/aports/commit/?id=baee0facb0bff1fa120bd6c9b7b0454af79a3f04
- https://git.alpinelinux.org/aports/commit/?id=d41a153ca51fae77177652bcf56edc463802bab3