{"schema_version": "1.6.1", "id": "CVE-2020-1946", "summary": "Apache SpamAssassin has an OS Command Injection vulnerability", "details": "In Apache SpamAssassin before 3.4.5, malicious rule configuration (.cf) files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios.  In addition to upgrading to SA version 3.4.5, users should only use update channels or 3rd party .cf files from trusted places. ", "affected": [{"ranges": [{"type": "SEMVER", "events": [{"introduced": "Apache SpamAssassin"}, {"fixed": "3.4.5"}]}]}], "references": [{"type": "ADVISORY", "url": "https://s.apache.org/3r1wh"}]}