CVE-2024-20328

EUVD-2024-18043
A vulnerability in the VirusEvent feature of ClamAV could allow a local attacker to inject arbitrary commands with the privileges of the application service account.The vulnerability is due to unsafe handling of file names. A local attacker could exploit this vulnerability by supplying a file name containing command-line sequences. When processed on a system using configuration options for the VirusEvent feature, the attacker could cause the application to execute arbitrary commands.
ClamAV has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
ciscoCNA
5.3 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 41%
Affected Products (NVD)
VendorProductVersion
clamavclamav
1.0.0 ≤
𝑥
< 1.0.5
clamavclamav
1.2.0 ≤
𝑥
< 1.2.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
clamav
bookworm
1.0.9+dfsg-1~deb12u1
fixed
bullseye
0.103.10+dfsg-0+deb11u1
not-affected
bullseye (security)
1.0.9+dfsg-1~deb11u1
fixed
buster
not-affected
forky
1.4.3+dfsg-2
fixed
sid
1.4.3+dfsg-2
fixed
trixie
1.4.3+dfsg-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
clamav
bionic
not-affected
focal
not-affected
jammy
not-affected
mantic
Fixed 1.0.5+dfsg-0ubuntu0.23.10.1
released
noble
Fixed 1.0.5+dfsg-1ubuntu1
released
trusty
not-affected
xenial
not-affected
Common Weakness Enumeration
References
https://blog.clamav.net/2023/11/clamav-130-122-105-released.html
https://blog.clamav.net/2023/11/clamav-130-122-105-released.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5FXZYVDNV66RNMNVJOHAJAYRZV4U64CQ/