CVE-2018-11805: 
Apache SpamAssassin vulnerability analysis and mitigation

CVE-2018-11805 affects Apache SpamAssassin versions before 3.4.3, where malicious configuration (CF) files can be configured to run system commands without any output or errors. The vulnerability was disclosed on December 12, 2019, and affects the core functionality of SpamAssassin's rule processing system (Apache Announcement).

The vulnerability allows nefarious CF files to execute arbitrary system commands silently, without generating any output or error messages that would alert administrators. The issue received a CVSS v3.1 Base Score of 6.7 (MEDIUM) with vector CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, indicating local access is required but potential impact is high across confidentiality, integrity and availability (NVD).

If exploited, this vulnerability could allow attackers to execute arbitrary commands with the same privileges as the SpamAssassin process, which may be elevated in some configurations. The silent nature of the exploit makes detection particularly difficult, as no warnings or errors are generated when malicious commands are executed (OpenWall).

The primary mitigation is to upgrade to SpamAssassin version 3.4.3 or later. If immediate upgrade is not possible, users should only use update channels or third-party .cf files from trusted sources. Additional recommendations include avoiding the use of third-party rulesets, disabling sa-compile, and not running spamd with elevated privileges (Apache Announcement).