← Voltar para CVEs
CVE-2020-7247
CRITICALCISA KEV9.8
Descricao
smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default configuration. The issue exists because of an incorrect return value upon failure of input validation.
Detalhes CVE
Pontuacao CVSS v3.19.8
SeveridadeCRITICAL
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosNONE
Interacao do usuarioNONE
Publicado1/29/2020
Ultima modificacao11/7/2025
Fontekev
Avistamentos honeypot0
CISA KEV
FornecedorOpenBSD
ProdutoOpenSMTPD
Nome da vulnerabilidadeOpenSMTPD Remote Code Execution Vulnerability
Data inclusao KEV2022-03-25
Prazo de remediacao2022-04-15
Uso em ransomwareUnknown
Produtos afetados
canonical:ubuntu_linuxdebian:debian_linuxfedoraproject:fedoraopenbsd:opensmtpd
Fraquezas (CWE)
CWE-78CWE-755CWE-755
Referencias
http://packetstormsecurity.com/files/156137/OpenBSD-OpenSMTPD-Privilege-Escalation-Code-Execution.html(cve@mitre.org)
http://packetstormsecurity.com/files/156145/OpenSMTPD-6.6.2-Remote-Code-Execution.html(cve@mitre.org)
http://packetstormsecurity.com/files/156249/OpenSMTPD-MAIL-FROM-Remote-Code-Execution.html(cve@mitre.org)
http://packetstormsecurity.com/files/156295/OpenSMTPD-6.6.1-Local-Privilege-Escalation.html(cve@mitre.org)
http://packetstormsecurity.com/files/162093/OpenBSD-OpenSMTPD-6.6-Remote-Code-Execution.html(cve@mitre.org)
http://seclists.org/fulldisclosure/2020/Jan/49(cve@mitre.org)
http://www.openwall.com/lists/oss-security/2020/01/28/3(cve@mitre.org)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OPH4QU4DNVHA7ACFXMYFCEP5PSXXPN4E/(cve@mitre.org)
https://seclists.org/bugtraq/2020/Jan/51(cve@mitre.org)
https://usn.ubuntu.com/4268-1/(cve@mitre.org)
https://www.debian.org/security/2020/dsa-4611(cve@mitre.org)
https://www.kb.cert.org/vuls/id/390745(cve@mitre.org)
https://www.openbsd.org/security.html(cve@mitre.org)
http://packetstormsecurity.com/files/156137/OpenBSD-OpenSMTPD-Privilege-Escalation-Code-Execution.html(af854a3a-2127-422b-91ae-364da2661108)
http://packetstormsecurity.com/files/156145/OpenSMTPD-6.6.2-Remote-Code-Execution.html(af854a3a-2127-422b-91ae-364da2661108)
http://packetstormsecurity.com/files/156249/OpenSMTPD-MAIL-FROM-Remote-Code-Execution.html(af854a3a-2127-422b-91ae-364da2661108)
http://packetstormsecurity.com/files/156295/OpenSMTPD-6.6.1-Local-Privilege-Escalation.html(af854a3a-2127-422b-91ae-364da2661108)
http://packetstormsecurity.com/files/162093/OpenBSD-OpenSMTPD-6.6-Remote-Code-Execution.html(af854a3a-2127-422b-91ae-364da2661108)
http://seclists.org/fulldisclosure/2020/Jan/49(af854a3a-2127-422b-91ae-364da2661108)
http://www.openwall.com/lists/oss-security/2020/01/28/3(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/openbsd/src/commit/9dcfda045474d8903224d175907bfc29761dcb45(af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OPH4QU4DNVHA7ACFXMYFCEP5PSXXPN4E/(af854a3a-2127-422b-91ae-364da2661108)
https://seclists.org/bugtraq/2020/Jan/51(af854a3a-2127-422b-91ae-364da2661108)
https://usn.ubuntu.com/4268-1/(af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2020/dsa-4611(af854a3a-2127-422b-91ae-364da2661108)
https://www.kb.cert.org/vuls/id/390745(af854a3a-2127-422b-91ae-364da2661108)
https://www.openbsd.org/security.html(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-7247(134c704f-9b21-4f2e-91b3-4a467353bcc0)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.