← Zuruck zu CVEs
CVE-2020-7247
CRITICALCISA KEV9.8
Beschreibung
smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.
CVE Details
CVSS v3.1 Bewertung9.8
SchweregradCRITICAL
CVSS VektorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AngriffsvektorNETWORK
KomplexitatLOW
Erforderliche PrivilegienNONE
BenutzerinteraktionNONE
Veroffentlicht1/29/2020
Zuletzt geandert11/7/2025
Quellekev
Honeypot-Sichtungen0
CISA KEV
HerstellerOpenBSD
ProduktOpenSMTPD
SchwachstellennameOpenSMTPD Remote Code Execution Vulnerability
KEV Aufnahmedatum2022-03-25
Behebungsfrist2022-04-15
Ransomware-NutzungUnknown
Betroffene Produkte
canonical:ubuntu_linuxdebian:debian_linuxfedoraproject:fedoraopenbsd:opensmtpd
Schwachen (CWE)
CWE-78CWE-755CWE-755
Referenzen
http://packetstormsecurity.com/files/156137/OpenBSD-OpenSMTPD-Privilege-Escalation-Code-Execution.html(cve@mitre.org)
http://packetstormsecurity.com/files/156145/OpenSMTPD-6.6.2-Remote-Code-Execution.html(cve@mitre.org)
http://packetstormsecurity.com/files/156249/OpenSMTPD-MAIL-FROM-Remote-Code-Execution.html(cve@mitre.org)
http://packetstormsecurity.com/files/156295/OpenSMTPD-6.6.1-Local-Privilege-Escalation.html(cve@mitre.org)
http://packetstormsecurity.com/files/162093/OpenBSD-OpenSMTPD-6.6-Remote-Code-Execution.html(cve@mitre.org)
http://seclists.org/fulldisclosure/2020/Jan/49(cve@mitre.org)
http://www.openwall.com/lists/oss-security/2020/01/28/3(cve@mitre.org)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OPH4QU4DNVHA7ACFXMYFCEP5PSXXPN4E/(cve@mitre.org)
https://seclists.org/bugtraq/2020/Jan/51(cve@mitre.org)
https://usn.ubuntu.com/4268-1/(cve@mitre.org)
https://www.debian.org/security/2020/dsa-4611(cve@mitre.org)
https://www.kb.cert.org/vuls/id/390745(cve@mitre.org)
https://www.openbsd.org/security.html(cve@mitre.org)
http://packetstormsecurity.com/files/156137/OpenBSD-OpenSMTPD-Privilege-Escalation-Code-Execution.html(af854a3a-2127-422b-91ae-364da2661108)
http://packetstormsecurity.com/files/156145/OpenSMTPD-6.6.2-Remote-Code-Execution.html(af854a3a-2127-422b-91ae-364da2661108)
http://packetstormsecurity.com/files/156249/OpenSMTPD-MAIL-FROM-Remote-Code-Execution.html(af854a3a-2127-422b-91ae-364da2661108)
http://packetstormsecurity.com/files/156295/OpenSMTPD-6.6.1-Local-Privilege-Escalation.html(af854a3a-2127-422b-91ae-364da2661108)
http://packetstormsecurity.com/files/162093/OpenBSD-OpenSMTPD-6.6-Remote-Code-Execution.html(af854a3a-2127-422b-91ae-364da2661108)
http://seclists.org/fulldisclosure/2020/Jan/49(af854a3a-2127-422b-91ae-364da2661108)
http://www.openwall.com/lists/oss-security/2020/01/28/3(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/openbsd/src/commit/9dcfda045474d8903224d175907bfc29761dcb45(af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OPH4QU4DNVHA7ACFXMYFCEP5PSXXPN4E/(af854a3a-2127-422b-91ae-364da2661108)
https://seclists.org/bugtraq/2020/Jan/51(af854a3a-2127-422b-91ae-364da2661108)
https://usn.ubuntu.com/4268-1/(af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2020/dsa-4611(af854a3a-2127-422b-91ae-364da2661108)
https://www.kb.cert.org/vuls/id/390745(af854a3a-2127-422b-91ae-364da2661108)
https://www.openbsd.org/security.html(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-7247(134c704f-9b21-4f2e-91b3-4a467353bcc0)
IOC Korrelationen
Keine Korrelationen erfasst
This product uses data from the NVD API but is not endorsed or certified by the NVD.