CVE-2024-20328

01.03.2024, 21:15

A vulnerability in the VirusEvent feature of ClamAV could allow a local attacker to inject arbitrary commands with the privileges of the application service account.The vulnerability is due to unsafe handling of file names. A local attacker could exploit this vulnerability by supplying a file name containing command-line sequences. When processed on a system using configuration options for the VirusEvent feature, the attacker could cause the application to execute arbitrary commands.
ClamAV has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

OS Command Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.3 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
cisco	CNA	5.3 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CISA-ADP	ADP	---				---
CVE	ADP	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 16%

Debian Releases

Debian Product

Codename

clamav

bullseye	0.103.10+dfsg-0+deb11u1 not-affected
buster	not-affected
bullseye (security)	1.0.7+dfsg-1~deb11u2 fixed
bookworm	1.0.7+dfsg-1~deb12u1 fixed
trixie	1.4.3+dfsg-1 fixed
sid	1.4.3+dfsg-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

clamav

noble	Fixed 1.0.5+dfsg-1ubuntu1 released
mantic	Fixed 1.0.5+dfsg-0ubuntu0.23.10.1 released
jammy	not-affected
focal	not-affected
bionic	not-affected
xenial	not-affected
trusty	not-affected

Common Weakness Enumeration

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References

https://blog.clamav.net/2023/11/clamav-130-122-105-released.html