CVE-2020-3123: 
Clam AntiVirus vulnerability analysis and mitigation

A vulnerability (CVE-2020-3123) was discovered in the Data-Loss-Prevention (DLP) module of Clam AntiVirus (ClamAV) Software versions 0.102.1 and 0.102.0. The vulnerability was disclosed on February 5, 2020, affecting the optional DLP feature in ClamAV. This security issue could allow an unauthenticated, remote attacker to cause a denial of service condition on affected devices (ClamAV Blog, CVE Mitre).

The vulnerability stems from an out-of-bounds read condition affecting users who have enabled the optional DLP feature. The issue occurs due to improper bounds checking of an unsigned variable, which results in an out-of-bounds read operation. The vulnerability has been assigned a CVSS 3.1 Base Score of 7.5 (High), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (Ubuntu Security).

When successfully exploited, this vulnerability can cause the ClamAV scanning process to crash, resulting in a denial of service condition. The impact is limited to availability, with no direct effect on confidentiality or integrity of the system (CVE Mitre).

The vulnerability was patched in ClamAV version 0.102.2. Users are advised to upgrade to this version or later to address the security issue. The fix was released on February 5, 2020, and has been backported to various Linux distributions including Ubuntu, Debian, and Gentoo (ClamAV Blog, Gentoo Security).