{"url":"http://public2.vulnerablecode.io/api/packages/5441?format=json","purl":"pkg:deb/debian/spamassassin@3.4.2-1~deb9u3","type":"deb","namespace":"debian","name":"spamassassin","version":"3.4.2-1~deb9u3","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.4.6-1","latest_non_vulnerable_version":"3.4.6-1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/101165?format=json","vulnerability_id":"VCID-4as6-979e-1bcs","summary":"Apache SpamAssassin 3.4.2 fixes a local user code injection in the meta rule syntax.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-11781.json","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-11781.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-11781","reference_id":"","reference_type":"","scores":[{"value":"0.00252","scoring_system":"epss","scoring_elements":"0.48683","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00252","scoring_system":"epss","scoring_elements":"0.48744","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00252","scoring_system":"epss","scoring_elements":"0.48752","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00252","scoring_system":"epss","scoring_elements":"0.48734","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00252","scoring_system":"epss","scoring_elements":"0.48705","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00252","scoring_system":"epss","scoring_elements":"0.4872","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-11781"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11781","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11781"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1629536","reference_id":"1629536","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1629536"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908971","reference_id":"908971","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908971"},{"reference_url":"https://security.gentoo.org/glsa/201812-07","reference_id":"GLSA-201812-07","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201812-07"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2916","reference_id":"RHSA-2018:2916","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2018:2916"},{"reference_url":"https://usn.ubuntu.com/3811-1/","reference_id":"USN-3811-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3811-1/"},{"reference_url":"https://usn.ubuntu.com/3811-3/","reference_id":"USN-3811-3","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3811-3/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/5442?format=json","purl":"pkg:deb/debian/spamassassin@3.4.2-1%2Bdeb10u3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cpgs-5jfe-zqf3"},{"vulnerability":"VCID-fhuz-3pw2-8yfu"},{"vulnerability":"VCID-q7se-fcdw-67by"},{"vulnerability":"VCID-regp-69zy-jubu"},{"vulnerability":"VCID-td7w-kxqc-zkd4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/spamassassin@3.4.2-1%252Bdeb10u3"}],"aliases":["CVE-2018-11781"],"risk_score":3.8,"exploitability":"0.5","weighted_severity":"7.6","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4as6-979e-1bcs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/101163?format=json","vulnerability_id":"VCID-bjeb-jgr5-fkat","summary":"A denial of service vulnerability was identified that exists in Apache SpamAssassin before 3.4.2. The vulnerability arises with certain unclosed tags in emails that cause markup to be handled incorrectly leading to scan timeouts. In Apache SpamAssassin, using HTML::Parser, we setup an object and hook into the begin and end tag event handlers In both cases, the \"open\" event is immediately followed by a \"close\" event - even if the tag *does not* close in the HTML being parsed. Because of this, we are missing the \"text\" event to deal with the object normally. This can cause carefully crafted emails that might take more scan time than expected leading to a Denial of Service. The issue is possibly a bug or design decision in HTML::Parser that specifically impacts the way Apache SpamAssassin uses the module with poorly formed html. The exploit has been seen in the wild but not believed to have been purposefully part of a Denial of Service attempt. We are concerned that there may be attempts to abuse the vulnerability in the future.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-15705.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-15705.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-15705","reference_id":"","reference_type":"","scores":[{"value":"0.01771","scoring_system":"epss","scoring_elements":"0.82996","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01771","scoring_system":"epss","scoring_elements":"0.83023","published_at":"2026-06-09T12:55:00Z"},{"value":"0.01771","scoring_system":"epss","scoring_elements":"0.8302","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01771","scoring_system":"epss","scoring_elements":"0.83011","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-15705"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15705","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15705"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1629521","reference_id":"1629521","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1629521"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908969","reference_id":"908969","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908969"},{"reference_url":"https://security.gentoo.org/glsa/201812-07","reference_id":"GLSA-201812-07","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201812-07"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2916","reference_id":"RHSA-2018:2916","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2018:2916"},{"reference_url":"https://usn.ubuntu.com/3811-1/","reference_id":"USN-3811-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3811-1/"},{"reference_url":"https://usn.ubuntu.com/3811-2/","reference_id":"USN-3811-2","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3811-2/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/5442?format=json","purl":"pkg:deb/debian/spamassassin@3.4.2-1%2Bdeb10u3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cpgs-5jfe-zqf3"},{"vulnerability":"VCID-fhuz-3pw2-8yfu"},{"vulnerability":"VCID-q7se-fcdw-67by"},{"vulnerability":"VCID-regp-69zy-jubu"},{"vulnerability":"VCID-td7w-kxqc-zkd4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/spamassassin@3.4.2-1%252Bdeb10u3"}],"aliases":["CVE-2017-15705"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bjeb-jgr5-fkat"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/101169?format=json","vulnerability_id":"VCID-cpgs-5jfe-zqf3","summary":"A command execution issue was found in Apache SpamAssassin prior to 3.4.3. Carefully crafted nefarious Configuration (.cf) files can be configured to run system commands similar to CVE-2018-11805. This issue is less stealthy and attempts to exploit the issue will throw warnings. Thanks to Damian Lukowski at credativ for reporting the issue ethically. With this bug unpatched, exploits can be injected in a number of scenarios though doing so remotely is difficult. In addition to upgrading to SA 3.4.4, we again recommend that users should only use update channels or 3rd party .cf files from trusted places.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-1931.json","reference_id":"","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-1931.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-1931","reference_id":"","reference_type":"","scores":[{"value":"0.01095","scoring_system":"epss","scoring_elements":"0.78329","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01095","scoring_system":"epss","scoring_elements":"0.78355","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01095","scoring_system":"epss","scoring_elements":"0.78364","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01095","scoring_system":"epss","scoring_elements":"0.78354","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01095","scoring_system":"epss","scoring_elements":"0.78341","published_at":"2026-06-08T12:55:00Z"},{"value":"0.01095","scoring_system":"epss","scoring_elements":"0.78359","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-1931"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1930","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1930"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1931","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1931"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1802975","reference_id":"1802975","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1802975"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950258","reference_id":"950258","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950258"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:4625","reference_id":"RHSA-2020:4625","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:4625"},{"reference_url":"https://usn.ubuntu.com/4265-1/","reference_id":"USN-4265-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4265-1/"},{"reference_url":"https://usn.ubuntu.com/4265-2/","reference_id":"USN-4265-2","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4265-2/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/5442?format=json","purl":"pkg:deb/debian/spamassassin@3.4.2-1%2Bdeb10u3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cpgs-5jfe-zqf3"},{"vulnerability":"VCID-fhuz-3pw2-8yfu"},{"vulnerability":"VCID-q7se-fcdw-67by"},{"vulnerability":"VCID-regp-69zy-jubu"},{"vulnerability":"VCID-td7w-kxqc-zkd4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/spamassassin@3.4.2-1%252Bdeb10u3"},{"url":"http://public2.vulnerablecode.io/api/packages/6094?format=json","purl":"pkg:deb/debian/spamassassin@3.4.6-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/spamassassin@3.4.6-1"}],"aliases":["CVE-2020-1931"],"risk_score":3.0,"exploitability":"0.5","weighted_severity":"6.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cpgs-5jfe-zqf3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/5608?format=json","vulnerability_id":"VCID-fhuz-3pw2-8yfu","summary":"arbitrary command execution","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-1946.json","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-1946.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-1946","reference_id":"","reference_type":"","scores":[{"value":"0.03407","scoring_system":"epss","scoring_elements":"0.87671","published_at":"2026-06-08T12:55:00Z"},{"value":"0.03407","scoring_system":"epss","scoring_elements":"0.87648","published_at":"2026-06-04T12:55:00Z"},{"value":"0.03407","scoring_system":"epss","scoring_elements":"0.87683","published_at":"2026-06-09T12:55:00Z"},{"value":"0.03407","scoring_system":"epss","scoring_elements":"0.8767","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-1946"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1946","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1946"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1943276","reference_id":"1943276","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1943276"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985962","reference_id":"985962","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985962"},{"reference_url":"https://security.archlinux.org/AVG-1731","reference_id":"AVG-1731","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1731"},{"reference_url":"https://security.gentoo.org/glsa/202105-26","reference_id":"GLSA-202105-26","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/202105-26"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4315","reference_id":"RHSA-2021:4315","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4315"},{"reference_url":"https://usn.ubuntu.com/4899-1/","reference_id":"USN-4899-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4899-1/"},{"reference_url":"https://usn.ubuntu.com/4899-2/","reference_id":"USN-4899-2","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4899-2/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/5442?format=json","purl":"pkg:deb/debian/spamassassin@3.4.2-1%2Bdeb10u3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cpgs-5jfe-zqf3"},{"vulnerability":"VCID-fhuz-3pw2-8yfu"},{"vulnerability":"VCID-q7se-fcdw-67by"},{"vulnerability":"VCID-regp-69zy-jubu"},{"vulnerability":"VCID-td7w-kxqc-zkd4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/spamassassin@3.4.2-1%252Bdeb10u3"},{"url":"http://public2.vulnerablecode.io/api/packages/6094?format=json","purl":"pkg:deb/debian/spamassassin@3.4.6-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/spamassassin@3.4.6-1"}],"aliases":["CVE-2020-1946"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fhuz-3pw2-8yfu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/101164?format=json","vulnerability_id":"VCID-k96w-64ea-f3b7","summary":"A potential Remote Code Execution bug exists with the PDFInfo plugin in Apache SpamAssassin before 3.4.2.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-11780.json","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-11780.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-11780","reference_id":"","reference_type":"","scores":[{"value":"0.18675","scoring_system":"epss","scoring_elements":"0.95397","published_at":"2026-06-04T12:55:00Z"},{"value":"0.18675","scoring_system":"epss","scoring_elements":"0.95405","published_at":"2026-06-05T12:55:00Z"},{"value":"0.18675","scoring_system":"epss","scoring_elements":"0.95414","published_at":"2026-06-09T12:55:00Z"},{"value":"0.18675","scoring_system":"epss","scoring_elements":"0.95408","published_at":"2026-06-06T12:55:00Z"},{"value":"0.18675","scoring_system":"epss","scoring_elements":"0.9541","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-11780"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11780","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11780"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1629532","reference_id":"1629532","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1629532"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908970","reference_id":"908970","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908970"},{"reference_url":"https://security.gentoo.org/glsa/201812-07","reference_id":"GLSA-201812-07","reference_type":"","scores":[],"url":"https://security.gentoo.org/glsa/201812-07"},{"reference_url":"https://usn.ubuntu.com/3811-1/","reference_id":"USN-3811-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3811-1/"},{"reference_url":"https://usn.ubuntu.com/3811-3/","reference_id":"USN-3811-3","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3811-3/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/5442?format=json","purl":"pkg:deb/debian/spamassassin@3.4.2-1%2Bdeb10u3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cpgs-5jfe-zqf3"},{"vulnerability":"VCID-fhuz-3pw2-8yfu"},{"vulnerability":"VCID-q7se-fcdw-67by"},{"vulnerability":"VCID-regp-69zy-jubu"},{"vulnerability":"VCID-td7w-kxqc-zkd4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/spamassassin@3.4.2-1%252Bdeb10u3"}],"aliases":["CVE-2018-11780"],"risk_score":3.6,"exploitability":"0.5","weighted_severity":"7.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-k96w-64ea-f3b7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/101166?format=json","vulnerability_id":"VCID-q7se-fcdw-67by","summary":"In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf files from trusted places.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-11805.json","reference_id":"","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-11805.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-11805","reference_id":"","reference_type":"","scores":[{"value":"0.0007","scoring_system":"epss","scoring_elements":"0.21601","published_at":"2026-06-04T12:55:00Z"},{"value":"0.0007","scoring_system":"epss","scoring_elements":"0.21679","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0007","scoring_system":"epss","scoring_elements":"0.21666","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0007","scoring_system":"epss","scoring_elements":"0.2162","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0007","scoring_system":"epss","scoring_elements":"0.21562","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0007","scoring_system":"epss","scoring_elements":"0.21571","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-11805"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11805","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11805"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12420","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12420"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1784974","reference_id":"1784974","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1784974"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946652","reference_id":"946652","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946652"},{"reference_url":"https://security.archlinux.org/AVG-1077","reference_id":"AVG-1077","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1077"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:4625","reference_id":"RHSA-2020:4625","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:4625"},{"reference_url":"https://usn.ubuntu.com/4237-1/","reference_id":"USN-4237-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4237-1/"},{"reference_url":"https://usn.ubuntu.com/4237-2/","reference_id":"USN-4237-2","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4237-2/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/5442?format=json","purl":"pkg:deb/debian/spamassassin@3.4.2-1%2Bdeb10u3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cpgs-5jfe-zqf3"},{"vulnerability":"VCID-fhuz-3pw2-8yfu"},{"vulnerability":"VCID-q7se-fcdw-67by"},{"vulnerability":"VCID-regp-69zy-jubu"},{"vulnerability":"VCID-td7w-kxqc-zkd4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/spamassassin@3.4.2-1%252Bdeb10u3"},{"url":"http://public2.vulnerablecode.io/api/packages/6094?format=json","purl":"pkg:deb/debian/spamassassin@3.4.6-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/spamassassin@3.4.6-1"}],"aliases":["CVE-2018-11805"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-q7se-fcdw-67by"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/101168?format=json","vulnerability_id":"VCID-regp-69zy-jubu","summary":"A command execution issue was found in Apache SpamAssassin prior to 3.4.3. Carefully crafted nefarious rule configuration (.cf) files can be configured to run system commands similar to CVE-2018-11805. With this bug unpatched, exploits can be injected in a number of scenarios including the same privileges as spamd is run which may be elevated though doing so remotely is difficult. In addition to upgrading to SA 3.4.4, we again recommend that users should only use update channels or 3rd party .cf files from trusted places. If you cannot upgrade, do not use 3rd party rulesets, do not use sa-compile and do not run spamd as an account with elevated privileges.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-1930.json","reference_id":"","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-1930.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-1930","reference_id":"","reference_type":"","scores":[{"value":"0.00965","scoring_system":"epss","scoring_elements":"0.76904","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00965","scoring_system":"epss","scoring_elements":"0.76937","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00965","scoring_system":"epss","scoring_elements":"0.76946","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00965","scoring_system":"epss","scoring_elements":"0.76934","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00965","scoring_system":"epss","scoring_elements":"0.76923","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00965","scoring_system":"epss","scoring_elements":"0.76944","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-1930"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1930","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1930"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1931","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1931"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1802977","reference_id":"1802977","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1802977"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950258","reference_id":"950258","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950258"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:4625","reference_id":"RHSA-2020:4625","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:4625"},{"reference_url":"https://usn.ubuntu.com/4265-1/","reference_id":"USN-4265-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4265-1/"},{"reference_url":"https://usn.ubuntu.com/4265-2/","reference_id":"USN-4265-2","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4265-2/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/5442?format=json","purl":"pkg:deb/debian/spamassassin@3.4.2-1%2Bdeb10u3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cpgs-5jfe-zqf3"},{"vulnerability":"VCID-fhuz-3pw2-8yfu"},{"vulnerability":"VCID-q7se-fcdw-67by"},{"vulnerability":"VCID-regp-69zy-jubu"},{"vulnerability":"VCID-td7w-kxqc-zkd4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/spamassassin@3.4.2-1%252Bdeb10u3"},{"url":"http://public2.vulnerablecode.io/api/packages/6094?format=json","purl":"pkg:deb/debian/spamassassin@3.4.6-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/spamassassin@3.4.6-1"}],"aliases":["CVE-2020-1930"],"risk_score":3.0,"exploitability":"0.5","weighted_severity":"6.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-regp-69zy-jubu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/101167?format=json","vulnerability_id":"VCID-td7w-kxqc-zkd4","summary":"In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-12420.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-12420.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-12420","reference_id":"","reference_type":"","scores":[{"value":"0.17694","scoring_system":"epss","scoring_elements":"0.95234","published_at":"2026-06-04T12:55:00Z"},{"value":"0.17694","scoring_system":"epss","scoring_elements":"0.95249","published_at":"2026-06-09T12:55:00Z"},{"value":"0.17694","scoring_system":"epss","scoring_elements":"0.95246","published_at":"2026-06-07T12:55:00Z"},{"value":"0.17694","scoring_system":"epss","scoring_elements":"0.95245","published_at":"2026-06-08T12:55:00Z"},{"value":"0.17694","scoring_system":"epss","scoring_elements":"0.95242","published_at":"2026-06-05T12:55:00Z"},{"value":"0.17694","scoring_system":"epss","scoring_elements":"0.95243","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-12420"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11805","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11805"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12420","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12420"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1784984","reference_id":"1784984","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1784984"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946653","reference_id":"946653","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946653"},{"reference_url":"https://security.archlinux.org/AVG-1077","reference_id":"AVG-1077","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1077"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:3973","reference_id":"RHSA-2020:3973","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:3973"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:4625","reference_id":"RHSA-2020:4625","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:4625"},{"reference_url":"https://usn.ubuntu.com/4237-1/","reference_id":"USN-4237-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4237-1/"},{"reference_url":"https://usn.ubuntu.com/4237-2/","reference_id":"USN-4237-2","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4237-2/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/5442?format=json","purl":"pkg:deb/debian/spamassassin@3.4.2-1%2Bdeb10u3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cpgs-5jfe-zqf3"},{"vulnerability":"VCID-fhuz-3pw2-8yfu"},{"vulnerability":"VCID-q7se-fcdw-67by"},{"vulnerability":"VCID-regp-69zy-jubu"},{"vulnerability":"VCID-td7w-kxqc-zkd4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/spamassassin@3.4.2-1%252Bdeb10u3"},{"url":"http://public2.vulnerablecode.io/api/packages/6094?format=json","purl":"pkg:deb/debian/spamassassin@3.4.6-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/spamassassin@3.4.6-1"}],"aliases":["CVE-2019-12420"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-td7w-kxqc-zkd4"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/101169?format=json","vulnerability_id":"VCID-cpgs-5jfe-zqf3","summary":"A command execution issue was found in Apache SpamAssassin prior to 3.4.3. Carefully crafted nefarious Configuration (.cf) files can be configured to run system commands similar to CVE-2018-11805. This issue is less stealthy and attempts to exploit the issue will throw warnings. Thanks to Damian Lukowski at credativ for reporting the issue ethically. With this bug unpatched, exploits can be injected in a number of scenarios though doing so remotely is difficult. In addition to upgrading to SA 3.4.4, we again recommend that users should only use update channels or 3rd party .cf files from trusted places.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-1931.json","reference_id":"","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-1931.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-1931","reference_id":"","reference_type":"","scores":[{"value":"0.01095","scoring_system":"epss","scoring_elements":"0.78329","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01095","scoring_system":"epss","scoring_elements":"0.78355","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01095","scoring_system":"epss","scoring_elements":"0.78364","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01095","scoring_system":"epss","scoring_elements":"0.78354","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01095","scoring_system":"epss","scoring_elements":"0.78341","published_at":"2026-06-08T12:55:00Z"},{"value":"0.01095","scoring_system":"epss","scoring_elements":"0.78359","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-1931"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1930","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1930"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1931","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1931"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1802975","reference_id":"1802975","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1802975"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950258","reference_id":"950258","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950258"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:4625","reference_id":"RHSA-2020:4625","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:4625"},{"reference_url":"https://usn.ubuntu.com/4265-1/","reference_id":"USN-4265-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4265-1/"},{"reference_url":"https://usn.ubuntu.com/4265-2/","reference_id":"USN-4265-2","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4265-2/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/5441?format=json","purl":"pkg:deb/debian/spamassassin@3.4.2-1~deb9u3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4as6-979e-1bcs"},{"vulnerability":"VCID-bjeb-jgr5-fkat"},{"vulnerability":"VCID-cpgs-5jfe-zqf3"},{"vulnerability":"VCID-fhuz-3pw2-8yfu"},{"vulnerability":"VCID-k96w-64ea-f3b7"},{"vulnerability":"VCID-q7se-fcdw-67by"},{"vulnerability":"VCID-regp-69zy-jubu"},{"vulnerability":"VCID-td7w-kxqc-zkd4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/spamassassin@3.4.2-1~deb9u3"},{"url":"http://public2.vulnerablecode.io/api/packages/5442?format=json","purl":"pkg:deb/debian/spamassassin@3.4.2-1%2Bdeb10u3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cpgs-5jfe-zqf3"},{"vulnerability":"VCID-fhuz-3pw2-8yfu"},{"vulnerability":"VCID-q7se-fcdw-67by"},{"vulnerability":"VCID-regp-69zy-jubu"},{"vulnerability":"VCID-td7w-kxqc-zkd4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/spamassassin@3.4.2-1%252Bdeb10u3"},{"url":"http://public2.vulnerablecode.io/api/packages/6094?format=json","purl":"pkg:deb/debian/spamassassin@3.4.6-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/spamassassin@3.4.6-1"}],"aliases":["CVE-2020-1931"],"risk_score":3.0,"exploitability":"0.5","weighted_severity":"6.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cpgs-5jfe-zqf3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/101166?format=json","vulnerability_id":"VCID-q7se-fcdw-67by","summary":"In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf files from trusted places.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-11805.json","reference_id":"","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-11805.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-11805","reference_id":"","reference_type":"","scores":[{"value":"0.0007","scoring_system":"epss","scoring_elements":"0.21601","published_at":"2026-06-04T12:55:00Z"},{"value":"0.0007","scoring_system":"epss","scoring_elements":"0.21679","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0007","scoring_system":"epss","scoring_elements":"0.21666","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0007","scoring_system":"epss","scoring_elements":"0.2162","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0007","scoring_system":"epss","scoring_elements":"0.21562","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0007","scoring_system":"epss","scoring_elements":"0.21571","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-11805"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11805","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11805"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12420","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12420"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1784974","reference_id":"1784974","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1784974"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946652","reference_id":"946652","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946652"},{"reference_url":"https://security.archlinux.org/AVG-1077","reference_id":"AVG-1077","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1077"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:4625","reference_id":"RHSA-2020:4625","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:4625"},{"reference_url":"https://usn.ubuntu.com/4237-1/","reference_id":"USN-4237-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4237-1/"},{"reference_url":"https://usn.ubuntu.com/4237-2/","reference_id":"USN-4237-2","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4237-2/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/5441?format=json","purl":"pkg:deb/debian/spamassassin@3.4.2-1~deb9u3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4as6-979e-1bcs"},{"vulnerability":"VCID-bjeb-jgr5-fkat"},{"vulnerability":"VCID-cpgs-5jfe-zqf3"},{"vulnerability":"VCID-fhuz-3pw2-8yfu"},{"vulnerability":"VCID-k96w-64ea-f3b7"},{"vulnerability":"VCID-q7se-fcdw-67by"},{"vulnerability":"VCID-regp-69zy-jubu"},{"vulnerability":"VCID-td7w-kxqc-zkd4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/spamassassin@3.4.2-1~deb9u3"},{"url":"http://public2.vulnerablecode.io/api/packages/5442?format=json","purl":"pkg:deb/debian/spamassassin@3.4.2-1%2Bdeb10u3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cpgs-5jfe-zqf3"},{"vulnerability":"VCID-fhuz-3pw2-8yfu"},{"vulnerability":"VCID-q7se-fcdw-67by"},{"vulnerability":"VCID-regp-69zy-jubu"},{"vulnerability":"VCID-td7w-kxqc-zkd4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/spamassassin@3.4.2-1%252Bdeb10u3"},{"url":"http://public2.vulnerablecode.io/api/packages/6094?format=json","purl":"pkg:deb/debian/spamassassin@3.4.6-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/spamassassin@3.4.6-1"}],"aliases":["CVE-2018-11805"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-q7se-fcdw-67by"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/101168?format=json","vulnerability_id":"VCID-regp-69zy-jubu","summary":"A command execution issue was found in Apache SpamAssassin prior to 3.4.3. Carefully crafted nefarious rule configuration (.cf) files can be configured to run system commands similar to CVE-2018-11805. With this bug unpatched, exploits can be injected in a number of scenarios including the same privileges as spamd is run which may be elevated though doing so remotely is difficult. In addition to upgrading to SA 3.4.4, we again recommend that users should only use update channels or 3rd party .cf files from trusted places. If you cannot upgrade, do not use 3rd party rulesets, do not use sa-compile and do not run spamd as an account with elevated privileges.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-1930.json","reference_id":"","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-1930.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-1930","reference_id":"","reference_type":"","scores":[{"value":"0.00965","scoring_system":"epss","scoring_elements":"0.76904","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00965","scoring_system":"epss","scoring_elements":"0.76937","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00965","scoring_system":"epss","scoring_elements":"0.76946","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00965","scoring_system":"epss","scoring_elements":"0.76934","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00965","scoring_system":"epss","scoring_elements":"0.76923","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00965","scoring_system":"epss","scoring_elements":"0.76944","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-1930"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1930","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1930"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1931","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1931"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1802977","reference_id":"1802977","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1802977"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950258","reference_id":"950258","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950258"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:4625","reference_id":"RHSA-2020:4625","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:4625"},{"reference_url":"https://usn.ubuntu.com/4265-1/","reference_id":"USN-4265-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4265-1/"},{"reference_url":"https://usn.ubuntu.com/4265-2/","reference_id":"USN-4265-2","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4265-2/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/5441?format=json","purl":"pkg:deb/debian/spamassassin@3.4.2-1~deb9u3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4as6-979e-1bcs"},{"vulnerability":"VCID-bjeb-jgr5-fkat"},{"vulnerability":"VCID-cpgs-5jfe-zqf3"},{"vulnerability":"VCID-fhuz-3pw2-8yfu"},{"vulnerability":"VCID-k96w-64ea-f3b7"},{"vulnerability":"VCID-q7se-fcdw-67by"},{"vulnerability":"VCID-regp-69zy-jubu"},{"vulnerability":"VCID-td7w-kxqc-zkd4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/spamassassin@3.4.2-1~deb9u3"},{"url":"http://public2.vulnerablecode.io/api/packages/5442?format=json","purl":"pkg:deb/debian/spamassassin@3.4.2-1%2Bdeb10u3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cpgs-5jfe-zqf3"},{"vulnerability":"VCID-fhuz-3pw2-8yfu"},{"vulnerability":"VCID-q7se-fcdw-67by"},{"vulnerability":"VCID-regp-69zy-jubu"},{"vulnerability":"VCID-td7w-kxqc-zkd4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/spamassassin@3.4.2-1%252Bdeb10u3"},{"url":"http://public2.vulnerablecode.io/api/packages/6094?format=json","purl":"pkg:deb/debian/spamassassin@3.4.6-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/spamassassin@3.4.6-1"}],"aliases":["CVE-2020-1930"],"risk_score":3.0,"exploitability":"0.5","weighted_severity":"6.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-regp-69zy-jubu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/101167?format=json","vulnerability_id":"VCID-td7w-kxqc-zkd4","summary":"In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-12420.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-12420.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-12420","reference_id":"","reference_type":"","scores":[{"value":"0.17694","scoring_system":"epss","scoring_elements":"0.95234","published_at":"2026-06-04T12:55:00Z"},{"value":"0.17694","scoring_system":"epss","scoring_elements":"0.95249","published_at":"2026-06-09T12:55:00Z"},{"value":"0.17694","scoring_system":"epss","scoring_elements":"0.95246","published_at":"2026-06-07T12:55:00Z"},{"value":"0.17694","scoring_system":"epss","scoring_elements":"0.95245","published_at":"2026-06-08T12:55:00Z"},{"value":"0.17694","scoring_system":"epss","scoring_elements":"0.95242","published_at":"2026-06-05T12:55:00Z"},{"value":"0.17694","scoring_system":"epss","scoring_elements":"0.95243","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-12420"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11805","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11805"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12420","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12420"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1784984","reference_id":"1784984","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1784984"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946653","reference_id":"946653","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946653"},{"reference_url":"https://security.archlinux.org/AVG-1077","reference_id":"AVG-1077","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1077"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:3973","reference_id":"RHSA-2020:3973","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:3973"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:4625","reference_id":"RHSA-2020:4625","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:4625"},{"reference_url":"https://usn.ubuntu.com/4237-1/","reference_id":"USN-4237-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4237-1/"},{"reference_url":"https://usn.ubuntu.com/4237-2/","reference_id":"USN-4237-2","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4237-2/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/5441?format=json","purl":"pkg:deb/debian/spamassassin@3.4.2-1~deb9u3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-4as6-979e-1bcs"},{"vulnerability":"VCID-bjeb-jgr5-fkat"},{"vulnerability":"VCID-cpgs-5jfe-zqf3"},{"vulnerability":"VCID-fhuz-3pw2-8yfu"},{"vulnerability":"VCID-k96w-64ea-f3b7"},{"vulnerability":"VCID-q7se-fcdw-67by"},{"vulnerability":"VCID-regp-69zy-jubu"},{"vulnerability":"VCID-td7w-kxqc-zkd4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/spamassassin@3.4.2-1~deb9u3"},{"url":"http://public2.vulnerablecode.io/api/packages/5442?format=json","purl":"pkg:deb/debian/spamassassin@3.4.2-1%2Bdeb10u3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-cpgs-5jfe-zqf3"},{"vulnerability":"VCID-fhuz-3pw2-8yfu"},{"vulnerability":"VCID-q7se-fcdw-67by"},{"vulnerability":"VCID-regp-69zy-jubu"},{"vulnerability":"VCID-td7w-kxqc-zkd4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/spamassassin@3.4.2-1%252Bdeb10u3"},{"url":"http://public2.vulnerablecode.io/api/packages/6094?format=json","purl":"pkg:deb/debian/spamassassin@3.4.6-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/spamassassin@3.4.6-1"}],"aliases":["CVE-2019-12420"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-td7w-kxqc-zkd4"}],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/spamassassin@3.4.2-1~deb9u3"}