{"url":"http://public2.vulnerablecode.io/api/packages/392444?format=json","purl":"pkg:apk/alpine/spamassassin@3.4.2-r0?arch=s390x&distroversion=v3.20&reponame=main","type":"apk","namespace":"alpine","name":"spamassassin","version":"3.4.2-r0","qualifiers":{"arch":"s390x","distroversion":"v3.20","reponame":"main"},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"3.4.3-r0","latest_non_vulnerable_version":"3.4.5-r0","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/101165?format=json","vulnerability_id":"VCID-4as6-979e-1bcs","summary":"Apache SpamAssassin 3.4.2 fixes a local user code injection in the meta rule syntax.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-11781.json","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-11781.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-11781","reference_id":"","reference_type":"","scores":[{"value":"0.00252","scoring_system":"epss","scoring_elements":"0.48683","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00252","scoring_system":"epss","scoring_elements":"0.48744","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00252","scoring_system":"epss","scoring_elements":"0.48752","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00252","scoring_system":"epss","scoring_elements":"0.48734","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00252","scoring_system":"epss","scoring_elements":"0.48705","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00252","scoring_system":"epss","scoring_elements":"0.4872","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-11781"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11781","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11781"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1629536","reference_id":"1629536","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1629536"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908971","reference_id":"908971","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908971"},{"reference_url":"https://security.gentoo.org/glsa/201812-07","reference_id":"GLSA-201812-07","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201812-07"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2916","reference_id":"RHSA-2018:2916","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2018:2916"},{"reference_url":"https://usn.ubuntu.com/3811-1/","reference_id":"USN-3811-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3811-1/"},{"reference_url":"https://usn.ubuntu.com/3811-3/","reference_id":"USN-3811-3","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3811-3/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/392444?format=json","purl":"pkg:apk/alpine/spamassassin@3.4.2-r0?arch=s390x&distroversion=v3.20&reponame=main","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/spamassassin@3.4.2-r0%3Farch=s390x&distroversion=v3.20&reponame=main"}],"aliases":["CVE-2018-11781"],"risk_score":3.8,"exploitability":"0.5","weighted_severity":"7.6","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4as6-979e-1bcs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/97829?format=json","vulnerability_id":"VCID-5zk5-gdjt-vkas","summary":"(1) cpan/Archive-Tar/bin/ptar, (2) cpan/Archive-Tar/bin/ptardiff, (3) cpan/Archive-Tar/bin/ptargrep, (4) cpan/CPAN/scripts/cpan, (5) cpan/Digest-SHA/shasum, (6) cpan/Encode/bin/enc2xs, (7) cpan/Encode/bin/encguess, (8) cpan/Encode/bin/piconv, (9) cpan/Encode/bin/ucmlint, (10) cpan/Encode/bin/unidump, (11) cpan/ExtUtils-MakeMaker/bin/instmodsh, (12) cpan/IO-Compress/bin/zipdetails, (13) cpan/JSON-PP/bin/json_pp, (14) cpan/Test-Harness/bin/prove, (15) dist/ExtUtils-ParseXS/lib/ExtUtils/xsubpp, (16) dist/Module-CoreList/corelist, (17) ext/Pod-Html/bin/pod2html, (18) utils/c2ph.PL, (19) utils/h2ph.PL, (20) utils/h2xs.PL, (21) utils/libnetcfg.PL, (22) utils/perlbug.PL, (23) utils/perldoc.PL, (24) utils/perlivp.PL, and (25) utils/splain.PL in Perl 5.x before 5.22.3-RC2 and 5.24 before 5.24.1-RC2 do not properly remove . (period) characters from the end of the includes directory array, which might allow local users to gain privileges via a Trojan horse module under the current working directory.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-1238.json","reference_id":"","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-1238.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-1238","reference_id":"","reference_type":"","scores":[{"value":"0.00317","scoring_system":"epss","scoring_elements":"0.55083","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00317","scoring_system":"epss","scoring_elements":"0.55141","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00317","scoring_system":"epss","scoring_elements":"0.55139","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00317","scoring_system":"epss","scoring_elements":"0.55121","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00317","scoring_system":"epss","scoring_elements":"0.55142","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00317","scoring_system":"epss","scoring_elements":"0.55149","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-1238"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1238","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1238"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6185","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6185"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv2","scoring_elements":"AV:L/AC:L/Au:N/C:P/I:P/A:P"},{"value":"6.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1355695","reference_id":"1355695","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1355695"},{"reference_url":"https://security.gentoo.org/glsa/201701-75","reference_id":"GLSA-201701-75","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201701-75"},{"reference_url":"https://security.gentoo.org/glsa/201812-07","reference_id":"GLSA-201812-07","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201812-07"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/392444?format=json","purl":"pkg:apk/alpine/spamassassin@3.4.2-r0?arch=s390x&distroversion=v3.20&reponame=main","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/spamassassin@3.4.2-r0%3Farch=s390x&distroversion=v3.20&reponame=main"}],"aliases":["CVE-2016-1238"],"risk_score":3.0,"exploitability":"0.5","weighted_severity":"6.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5zk5-gdjt-vkas"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/101163?format=json","vulnerability_id":"VCID-bjeb-jgr5-fkat","summary":"A denial of service vulnerability was identified that exists in Apache SpamAssassin before 3.4.2. The vulnerability arises with certain unclosed tags in emails that cause markup to be handled incorrectly leading to scan timeouts. In Apache SpamAssassin, using HTML::Parser, we setup an object and hook into the begin and end tag event handlers In both cases, the \"open\" event is immediately followed by a \"close\" event - even if the tag *does not* close in the HTML being parsed. Because of this, we are missing the \"text\" event to deal with the object normally. This can cause carefully crafted emails that might take more scan time than expected leading to a Denial of Service. The issue is possibly a bug or design decision in HTML::Parser that specifically impacts the way Apache SpamAssassin uses the module with poorly formed html. The exploit has been seen in the wild but not believed to have been purposefully part of a Denial of Service attempt. We are concerned that there may be attempts to abuse the vulnerability in the future.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-15705.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-15705.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-15705","reference_id":"","reference_type":"","scores":[{"value":"0.01771","scoring_system":"epss","scoring_elements":"0.82996","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01771","scoring_system":"epss","scoring_elements":"0.83023","published_at":"2026-06-09T12:55:00Z"},{"value":"0.01771","scoring_system":"epss","scoring_elements":"0.8302","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01771","scoring_system":"epss","scoring_elements":"0.83011","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-15705"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15705","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15705"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1629521","reference_id":"1629521","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1629521"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908969","reference_id":"908969","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908969"},{"reference_url":"https://security.gentoo.org/glsa/201812-07","reference_id":"GLSA-201812-07","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201812-07"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2916","reference_id":"RHSA-2018:2916","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2018:2916"},{"reference_url":"https://usn.ubuntu.com/3811-1/","reference_id":"USN-3811-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3811-1/"},{"reference_url":"https://usn.ubuntu.com/3811-2/","reference_id":"USN-3811-2","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3811-2/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/392444?format=json","purl":"pkg:apk/alpine/spamassassin@3.4.2-r0?arch=s390x&distroversion=v3.20&reponame=main","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/spamassassin@3.4.2-r0%3Farch=s390x&distroversion=v3.20&reponame=main"}],"aliases":["CVE-2017-15705"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bjeb-jgr5-fkat"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/101164?format=json","vulnerability_id":"VCID-k96w-64ea-f3b7","summary":"A potential Remote Code Execution bug exists with the PDFInfo plugin in Apache SpamAssassin before 3.4.2.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-11780.json","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-11780.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-11780","reference_id":"","reference_type":"","scores":[{"value":"0.18675","scoring_system":"epss","scoring_elements":"0.95397","published_at":"2026-06-04T12:55:00Z"},{"value":"0.18675","scoring_system":"epss","scoring_elements":"0.95405","published_at":"2026-06-05T12:55:00Z"},{"value":"0.18675","scoring_system":"epss","scoring_elements":"0.95414","published_at":"2026-06-09T12:55:00Z"},{"value":"0.18675","scoring_system":"epss","scoring_elements":"0.95408","published_at":"2026-06-06T12:55:00Z"},{"value":"0.18675","scoring_system":"epss","scoring_elements":"0.9541","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-11780"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11780","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11780"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1629532","reference_id":"1629532","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1629532"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908970","reference_id":"908970","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908970"},{"reference_url":"https://security.gentoo.org/glsa/201812-07","reference_id":"GLSA-201812-07","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201812-07"},{"reference_url":"https://usn.ubuntu.com/3811-1/","reference_id":"USN-3811-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3811-1/"},{"reference_url":"https://usn.ubuntu.com/3811-3/","reference_id":"USN-3811-3","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3811-3/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/392444?format=json","purl":"pkg:apk/alpine/spamassassin@3.4.2-r0?arch=s390x&distroversion=v3.20&reponame=main","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/spamassassin@3.4.2-r0%3Farch=s390x&distroversion=v3.20&reponame=main"}],"aliases":["CVE-2018-11780"],"risk_score":3.6,"exploitability":"0.5","weighted_severity":"7.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-k96w-64ea-f3b7"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:apk/alpine/spamassassin@3.4.2-r0%3Farch=s390x&distroversion=v3.20&reponame=main"}