CVE-2020-1946

CVE-2020-1946: Apache SpamAssassin has an OS Command Injection vulnerability

Vendor Apache Software Foundation

Product Apache SpamAssassin

Weakness CWE-78

Published March 25, 2021

Last update February 13, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

In Apache SpamAssassin before 3.4.5, malicious rule configuration (.cf) files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA version 3.4.5, users should only use update channels or 3rd party .cf files from trusted places.

Key dates

02Disclosure timeline

March 25, 2021 CVE published

February 13, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2020-1946

Related vulnerabilities

CVE-2020-1946: Apache SpamAssassin has an OS Command Injection vulnerability

01Description

02Disclosure timeline

03References

04Related CVE