{ "document": { "aggregate_severity": { "text": "Critical" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/centos6els/vex/2020/cve-2020-1946-els_os-centos6els.json" } ], "title": "Security update on CVE-2020-1946", "tracking": { "current_release_date": "2025-12-23T20:26:03Z", "generator": { "date": "2025-12-23T20:26:03Z", "engine": { "name": "pyCSAF" } }, "id": "CVE-2020-1946-ELS_OS-CENTOS6ELS", "initial_release_date": "2020-01-01T00:00:00Z", "revision_history": [ { "date": "2020-01-01T00:00:00Z", "number": "1", "summary": "Initial version" }, { "date": "2025-10-16T13:17:41Z", "number": "2", "summary": "Official Publication" }, { "date": "2025-11-29T10:32:50Z", "number": "3", "summary": "Update document" }, { "date": "2025-12-23T20:26:03Z", "number": "4", "summary": "Update document" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Community Enterprise Operating System 6", "product": { "name": "Community Enterprise Operating System 6", "product_id": "CentOS-6", "product_identification_helper": { "cpe": "cpe:2.3:o:centos:centos:6:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Community Enterprise Operating System" } ], "category": "vendor", "name": "Red Hat, Inc." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "spamassassin-0:3.3.1-3.el6.tuxcare.els1.x86_64", "product": { "name": "spamassassin-0:3.3.1-3.el6.tuxcare.els1.x86_64", "product_id": "spamassassin-0:3.3.1-3.el6.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/cloudlinux/spamassassin@3.3.1-3.el6.tuxcare.els1?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "CloudLinux" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "spamassassin-3.3.1-3.el6.x86_64", "product": { "name": "spamassassin-3.3.1-3.el6.x86_64", "product_id": "spamassassin-3.3.1-3.el6.x86_64", "product_identification_helper": { "purl": "pkg:rpm/centos/spamassassin@3.3.1-3.el6?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "Red Hat, Inc." } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "spamassassin-0:3.3.1-3.el6.tuxcare.els1.x86_64 as a component of Community Enterprise Operating System 6", "product_id": "CentOS-6:spamassassin-0:3.3.1-3.el6.tuxcare.els1.x86_64" }, "product_reference": "spamassassin-0:3.3.1-3.el6.tuxcare.els1.x86_64", "relates_to_product_reference": "CentOS-6" }, { "category": "default_component_of", "full_product_name": { "name": "spamassassin-3.3.1-3.el6.x86_64 as a component of Community Enterprise Operating System 6", "product_id": "CentOS-6:spamassassin-3.3.1-3.el6.x86_64" }, "product_reference": "spamassassin-3.3.1-3.el6.x86_64", "relates_to_product_reference": "CentOS-6" } ] }, "vulnerabilities": [ { "cve": "CVE-2020-1946", "cwe": { "id": "CWE-78", "name": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" }, "notes": [ { "category": "description", "text": "In Apache SpamAssassin before 3.4.5, malicious rule configuration (.cf) files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA version 3.4.5, users should only use update channels or 3rd party .cf files from trusted places.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "known_affected": [ "CentOS-6:spamassassin-0:3.3.1-3.el6.tuxcare.els1.x86_64", "CentOS-6:spamassassin-3.3.1-3.el6.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2020-1946" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2021/04/msg00000.html", "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00000.html" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7V2SBVTKVLFFT36ECJQ7TQ7KAQCQZDRZ/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7V2SBVTKVLFFT36ECJQ7TQ7KAQCQZDRZ/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JFBFRIG5TX23NF4ND6OAKKY7I6TLRCCP/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JFBFRIG5TX23NF4ND6OAKKY7I6TLRCCP/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NKAXYBKBMQOLIW6UKASJCAZRBOIYS4RL/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NKAXYBKBMQOLIW6UKASJCAZRBOIYS4RL/" }, { "category": "external", "summary": "https://s.apache.org/3r1wh", "url": "https://s.apache.org/3r1wh" }, { "category": "external", "summary": "https://security.gentoo.org/glsa/202105-26", "url": "https://security.gentoo.org/glsa/202105-26" }, { "category": "external", "summary": "https://www.debian.org/security/2021/dsa-4879", "url": "https://www.debian.org/security/2021/dsa-4879" } ], "release_date": "2021-03-25T10:15:00Z", "remediations": [ { "category": "no_fix_planned", "details": "We have reasoned not to port the fix for this issue since directly porting the upstream fix would be intrusive and could introduce new issues.\nOur recommendation is that clients do not rely on untrusted third-party configuration files. If such files must be used, they should be reviewed to prevent potential command injection.", "product_ids": [ "CentOS-6:spamassassin-0:3.3.1-3.el6.tuxcare.els1.x86_64", "CentOS-6:spamassassin-3.3.1-3.el6.x86_64" ] } ], "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0" }, "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "CentOS-6:spamassassin-0:3.3.1-3.el6.tuxcare.els1.x86_64", "CentOS-6:spamassassin-3.3.1-3.el6.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Critical" } ] } ] }