Vulnerability DatabaseCVE-2020-1946

CVE-2020-1946:
Apache SpamAssassin vulnerability analysis and mitigation

Overview

In Apache SpamAssassin before version 3.4.5, a vulnerability was discovered that allows malicious rule configuration (.cf) files to execute system commands without any output or errors. The vulnerability, tracked as CVE-2020-1946, was discovered by Damian Lukowski at credativ and was first recorded on December 2, 2019 (CVE Mitre, Apache Security).

Technical details

The vulnerability stems from improper handling of configuration (.cf) files in SpamAssassin, a Perl-based spam filter using text analysis. The flaw allows malicious rule configuration files to execute arbitrary system commands silently, without generating any output or error messages that might alert administrators to the exploitation (Gentoo Security, Debian Security).

Impact

The vulnerability enables remote attackers to execute arbitrary commands with the privileges of the SpamAssassin process. This could potentially lead to system compromise or result in a Denial of Service condition. The impact is particularly significant as the exploitation can occur through multiple scenarios, including automated updates from compromised update servers (Gentoo Security).

Mitigation and workarounds

The primary mitigation is to upgrade SpamAssassin to version 3.4.5 or later. Additionally, users are strongly advised to only use update channels or third-party .cf files from trusted sources. For systems where immediate upgrade is not possible, there are no known workarounds, making the upgrade the only effective solution (Debian LTS, Gentoo Security).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a Wiz customer? See which CVEs are exploitable in your environment.

Get a CVE Assessment

9.8

Score

Published March 25, 2021

Severity CRITICAL

CNA Score N/A

Affected Technologies

Apache SpamAssassin
Linux openSUSE

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 80.6

Exploitation Probability (EPSS) 1.5

Affected packages and libraries

spamassassin
spamassassin-debuginfo

Sources

AlmaLinux Security Advisory
- AlmaLinux 8 Severity MEDIUMHas FixAdded at: Jul 20, 2022
Alpine Security Tracker
- Alpine 3.10, 3.11, 3.12, 3.13, 3.14 Severity CRITICALHas FixAdded at: Nov 23, 2021
- Alpine 3.15 Severity CRITICALHas FixAdded at: Nov 25, 2021
- Alpine 3.16 Severity CRITICALHas FixAdded at: May 24, 2022
- Alpine 3.17 Severity CRITICALHas FixAdded at: Nov 23, 2022
- Alpine 3.18 Severity CRITICALHas FixAdded at: May 10, 2023
- Alpine 3.19 Severity CRITICALHas FixAdded at: Dec 10, 2023
- Alpine 3.20 Severity CRITICALHas FixAdded at: May 26, 2024
- Alpine 3.21 Severity CRITICALHas FixAdded at: Dec 08, 2024
- Alpine 3.22 Severity CRITICALHas FixAdded at: Jun 01, 2025
- Alpine 3.23 Severity CRITICALHas FixAdded at: Dec 04, 2025
- Alpine edge Severity CRITICALHas FixAdded at: Jun 19, 2023
Debian Security Tracker
- Debian 9, 10, 11, 12 Severity CRITICALHas FixAdded at: Nov 23, 2021
- Debian 13 Severity CRITICALHas FixAdded at: Jun 11, 2023
- Debian 14 Severity CRITICALHas FixAdded at: Aug 10, 2025
Echo
- Echo Severity CRITICALHas FixAdded at: Nov 18, 2025
Gentoo Advisory Database
- Gentoo Severity MEDIUMHas FixAdded at: Jul 24, 2022
Red Hat Errata
- Red Hat 6, 7 Severity MEDIUMNo FixAdded at: Nov 23, 2021
- Red Hat 8 Severity MEDIUMHas FixAdded at: Nov 23, 2021
Rocky Linux Product Errata
- Rocky 8 Severity MEDIUMHas FixAdded at: Dec 07, 2025
Ubuntu Security Tracker
- Ubuntu 14.04 Severity MEDIUMHas FixAdded at: Mar 28, 2022
- Ubuntu 16.04, 18.04, 20.04 Severity MEDIUMHas FixAdded at: Nov 23, 2021
NVD
- Linux Severity CRITICALHas FixAdded at: Nov 23, 2021
- Windows Severity CRITICALHas FixAdded at: Nov 23, 2021

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related Apache SpamAssassin vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2020-1946	CRITICAL	9.8	Apache SpamAssassin	spamassassin	No	Yes	Mar 25, 2021
CVE-2020-1931	HIGH	8.1	Apache SpamAssassin	spamassassin-debuginfo	No	Yes	Jan 30, 2020
CVE-2020-1930	HIGH	8.1	Apache SpamAssassin	spamassassin-debuginfo	No	Yes	Jan 30, 2020
CVE-2019-12420	HIGH	7.5	Apache SpamAssassin	spamassassin	No	Yes	Dec 12, 2019
CVE-2018-11805	MEDIUM	6.7	Apache SpamAssassin	spamassassin-debugsource	No	Yes	Dec 12, 2019

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2020-1946: Apache SpamAssassin vulnerability analysis and mitigation