Bug 1219725 (CVE-2024-20328)

Summary: VUL-0: CVE-2024-20328: clamav: clamav: command injection vulnerability in the "VirusEvent" feature of ClamD service
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P5 - None CC: andrea.mattiazzo
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/393393/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-20328:7.4:(AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-02-08 09:32:20 UTC 
CVE-2024-20328: Fixed a possible command injection vulnerability in the "VirusEvent" feature of ClamAV's ClamD service. To fix this issue, we disabled the '%f' format string parameter.  ClamD administrators may continue to use the `CLAM_VIRUSEVENT_FILENAME`  environment variable, instead of '%f'. But you should do so only from within  an executable, such as a Python script, and not directly in the clamd.conf "VirusEvent" command.

Affected versions:
0.104 (all patch versions)
0.105 (all patch versions)
1.0.0 through 1.0.4 (LTS)
1.1 (all patch versions)
1.2.0 and 1.2.1

References:
https://blog.clamav.net/2023/11/clamav-130-122-105-released.html

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-20328
https://bugzilla.redhat.com/show_bug.cgi?id=2263264

Patch:
https://github.com/Cisco-Talos/clamav/commit/fe7638287bb11419474ea314652404e7e9b314b2
Comment 1 Andrea Mattiazzo 2024-02-08 09:32:54 UTC 
Closed because all code streams are not affected.