{"id":"UBUNTU-CVE-2020-7247","details":"smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the \"uncommented\" default configuration. The issue exists because of an incorrect return value upon failure of input validation.","modified":"2026-02-04T03:46:35.846654Z","published":"2020-01-29T16:15:00Z","related":["USN-4268-1","USN-4875-1"],"upstream":["CVE-2020-7247"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2020-7247"},{"type":"REPORT","url":"https://www.openwall.com/lists/oss-security/2020/01/28/3"},{"type":"REPORT","url":"https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/019_smtpd_exec.patch.sig"},{"type":"REPORT","url":"https://github.com/OpenSMTPD/OpenSMTPD/commit/be6ef06cba9484d008d9f057e6b25d863cf278ff"},{"type":"REPORT","url":"http://packetstormsecurity.com/files/156137/OpenBSD-OpenSMTPD-Privilege-Escalation-Code-Execution.html"},{"type":"REPORT","url":"http://packetstormsecurity.com/files/156145/OpenSMTPD-6.6.2-Remote-Code-Execution.html"},{"type":"REPORT","url":"http://www.openwall.com/lists/oss-security/2020/01/28/3"},{"type":"REPORT","url":"https://seclists.org/bugtraq/2020/Jan/51"},{"type":"REPORT","url":"https://www.debian.org/security/2020/dsa-4611"},{"type":"REPORT","url":"https://www.kb.cert.org/vuls/id/390745"},{"type":"REPORT","url":"https://www.openbsd.org/security.html"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-4268-1"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2020-7247"},{"type":"REPORT","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-4875-1"}],"affected":[{"package":{"name":"opensmtpd","ecosystem":"Ubuntu:Pro:14.04:LTS","purl":"pkg:deb/ubuntu/opensmtpd@5.4.1p1-1ubuntu0.1~esm1?arch=source&distro=trusty/esm"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.4.1p1-1ubuntu0.1~esm1"}]}],"versions":["5.3.3p1-4","5.4.1p1-1"],"ecosystem_specific":{"binaries":[{"binary_version":"5.4.1p1-1ubuntu0.1~esm1","binary_name":"opensmtpd"}],"availability":"Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2020/UBUNTU-CVE-2020-7247.json"}},{"package":{"name":"opensmtpd","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/opensmtpd@5.7.3p2-1ubuntu0.1~esm1?arch=source&distro=esm-apps/xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.7.3p2-1ubuntu0.1~esm1"}]}],"versions":["5.4.2p1-4","5.7.3p1-1","5.7.3p2-1"],"ecosystem_specific":{"binaries":[{"binary_version":"5.7.3p2-1ubuntu0.1~esm1","binary_name":"opensmtpd"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2020/UBUNTU-CVE-2020-7247.json"}},{"package":{"name":"opensmtpd","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/opensmtpd@6.0.3p1-1ubuntu0.1?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.0.3p1-1ubuntu0.1"}]}],"versions":["6.0.2p1-2build1","6.0.3p1-1","6.0.3p1-1build1"],"ecosystem_specific":{"binaries":[{"binary_version":"6.0.3p1-1ubuntu0.1","binary_name":"opensmtpd"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2020/UBUNTU-CVE-2020-7247.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"high"}]}